GNU Mailman 2.x prior to 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
gnu mailman |
||
debian debian linux 9.0 |
||
debian debian linux 10.0 |
||
fedoraproject fedora 31 |
||
fedoraproject fedora 32 |
||
debian debian linux 8.0 |
||
canonical ubuntu linux 18.04 |
||
canonical ubuntu linux 16.04 |
||
opensuse leap 15.2 |
||
opensuse backports sle 15.0 |