Mailman Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2020-12137 - Vulnerability Database

Mailman

Mailman Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2020-12137

Medium

Reference: CVE-2020-12137

NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2020-12137

Title: Mailman Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability

Overview:

GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors because an HTTP reply from an archive web server may lack a MIME type and a web browser may perform MIME sniffing conclude that the MIME type should have been text/html and execute JavaScript code.