CVE-2020-12137
published 2020-04-24CVE-2020-12137: GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against…
medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| gnu | mailman | >= 0 < 1:2.1.20-1ubuntu0.4 | 1:2.1.20-1ubuntu0.4 |
| gnu | mailman | >= 0 < 1:2.1.26-1ubuntu0.1 | 1:2.1.26-1ubuntu0.1 |
| gnu | mailman | >= 0 < 1:2.1.29-1ubuntu3.1 | 1:2.1.29-1ubuntu3.1 |
| gnu | mailman | >= 2.0 < 2.1.30 | 2.1.30 |
| opensuse | backports_sle | — | — |
| opensuse | leap | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.5MEDIUM