CVE-2020-12137

6.1MEDIUM

Key Information:

Vendor
Gnu
Status
Mailman
Vendor
CVE Published:
24 April 2020

Summary

GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.

References

https://www.openwall.com/lists/oss-security/2020/02/24/2
x_refsource_MISC
https://www.openwall.com/lists/oss-security/2020/02/24/3
x_refsource_MISC
http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/v...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.