[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

248678

 
 

909

 
 

195426

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2020-12137Date: (C)2020-04-24   (M)2023-12-22


GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score : 6.1CVSS Score : 4.3
Exploit Score: 2.8Exploit Score: 8.6
Impact Score: 2.7Impact Score: 2.9
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: NETWORKAccess Vector: NETWORK
Attack Complexity: LOWAccess Complexity: MEDIUM
Privileges Required: NONEAuthentication: NONE
User Interaction: REQUIREDConfidentiality: NONE
Scope: CHANGEDIntegrity: PARTIAL
Confidentiality: LOWAvailability: NONE
Integrity: LOW 
Availability: NONE 
  
Reference:
DSA-4664
FEDORA-2020-20b748e81e
FEDORA-2020-69f2f1d987
USN-4348-1
https://lists.debian.org/debian-lts-announce/2020/05/msg00002.html
http://www.openwall.com/lists/oss-security/2020/04/24/3
http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS
https://www.openwall.com/lists/oss-security/2020/02/24/2
https://www.openwall.com/lists/oss-security/2020/02/24/3
openSUSE-SU-2020:1707
openSUSE-SU-2020:1752

CPE    4
cpe:/o:debian:debian_linux:9.0
cpe:/o:debian:debian_linux:8.0
cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
cpe:/a:gnu:mailman
...
CWE    1
CWE-79
OVAL    15
oval:org.secpod.oval:def:504719
oval:org.secpod.oval:def:63492
oval:org.secpod.oval:def:67992
oval:org.secpod.oval:def:62958
...

© SecPod Technologies