Lucene search

K

[email protected]NVD:CVE-2020-12137

HistoryApr 24, 2020 - 1:15 p.m.

CVE-2020-12137

2020-04-2413:15:11

CWE-79

[email protected]

web.nvd.nist.gov

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.1 Medium

AI Score

Confidence

High

0.017 Low

EPSS

Percentile

87.7%

GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.

Affected configurations

NVD

Node

gnumailmanRange2.0–2.1.30

Node

debiandebian_linuxMatch9.0

OR

debiandebian_linuxMatch10.0

Node

fedoraprojectfedoraMatch31

OR

fedoraprojectfedoraMatch32

Node

debiandebian_linuxMatch8.0

Node

canonicalubuntu_linuxMatch16.04esm

OR

canonicalubuntu_linuxMatch18.04lts

Node

opensusebackports_sleMatch15.0sp2

OR

opensuseleapMatch15.2

References

bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS

lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html

lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.html

www.openwall.com/lists/oss-security/2020/04/24/3

lists.debian.org/debian-lts-announce/2020/05/msg00002.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6YCMGTTOXXCVM4O6CYZLTZDX6YLYORNF/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4COSBBEMJYLV7WSW5QTUJUOFJFK47KK/

usn.ubuntu.com/4348-1/

www.debian.org/security/2020/dsa-4664

www.openwall.com/lists/oss-security/2020/02/24/2

www.openwall.com/lists/oss-security/2020/02/24/3

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.1 Medium

AI Score

Confidence

High

0.017 Low

EPSS

Percentile

87.7%

Related for NVD:CVE-2020-12137

openvas14 nessus17 fedora2 redhatcve1 prion1 debian2 cve1 oraclelinux1 almalinux1 ubuntucve1 debiancve1 veracode1 osv3 cvelist1 redhat1 suse2 ubuntu2 mageia1 rosalinux1