VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 24, 2020· Updated Aug 4, 2024

CVE-2020-12137

CVE-2020-12137

Description

GNU Mailman 2.x before 2.1.30 stores scrubbed attachments as .obj files, allowing stored XSS in archives via MIME sniffing when served without Content-Type.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GNU Mailman 2.x before 2.1.30 stores scrubbed attachments as .obj files, allowing stored XSS in archives via MIME sniffing when served without Content-Type.

Vulnerability

GNU Mailman versions 2.x before 2.1.30, when processing email attachments with unknown or no file extension, scrubs the attachment and stores it in the list archive with a .obj extension [1]. Many web servers (e.g., Apache httpd) do not have a MIME type mapping for .obj in their default configuration, so they serve these files without a Content-Type header [1]. This allows browsers to perform MIME sniffing, potentially interpreting the file as text/html if it contains HTML, leading to reflected or stored XSS [1].

Exploitation

An attacker sends an email to a Mailman-managed mailing list with an attachment that contains arbitrary HTML and JavaScript, but with an unknown or no file extension (or simply any attachment that Mailman classifies as application/octet-stream) [1]. Mailman scrubs the attachment and stores it with a .obj extension in the public list archive [1]. When a visitor views the archived message and the web browser loads the .obj file, the server may not provide a MIME type, causing the browser to MIME-sniff the content. If the attachment content is HTML, JavaScript within it executes in the context of the archive domain [1]. No authentication is required to trigger the XSS; the attacker only needs the ability to post to the list (which may be open) [1].

Impact

An attacker can execute arbitrary JavaScript in the browser of any visitor viewing the list archive, leading to potential data theft, session hijacking, or defacement. The XSS is stored and affects all viewers of the archive, not just the attacker [1]. The scope is the web domain hosting the archive.

Mitigation

The issue is fixed in Mailman 2.1.30 [1][2]. Users should upgrade to 2.1.30 or later [1]. As a workaround, administrators can add a MIME type mapping for .obj in the web server configuration (e.g., application/octet-stream) to force a proper Content-Type header [1]. Note that Mailman 2.x is EOL and tied to Python 2, which is also EOL; migration to Mailman 3 is recommended [3]. Fedora has released updated packages [4].

References
  1. security - mailman 2.x: XSS via file attachments in list archives
  2. security - Re: mailman 2.x: XSS via file attachments in list archives
  3. security - Re: mailman 2.x: XSS via file attachments in list archives
  4. lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4COSBBEMJYLV7WSW5QTUJUOFJFK47KK/

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

23

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

11

News mentions

0

No linked articles in our index yet.