CVE-2020-12137
24.04.2020, 13:15
GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.
Vendor | Product | Version |
---|---|---|
gnu | mailman | 2.0 ≤ 𝑥 < 2.1.30 |
debian | debian_linux | 9.0 |
debian | debian_linux | 10.0 |
debian | debian_linux | 8.0 |
canonical | ubuntu_linux | 16.04 |
canonical | ubuntu_linux | 18.04 |
opensuse | backports_sle | 15.0:sp2 |
opensuse | leap | 15.2 |
𝑥
= Vulnerable software versions

Ubuntu Releases
References