2020-07-03 01:11:19 |
Mark Sapiro |
description |
This was fixed in Mailman 2.1.30 by using .bin for the extension, but a bug report was never created.
The issue prior to 2.1.30 was a scrubbed attachment with no extion in it's name would be saved with a .obj extension and some web servers and or browsers would not recognize the .obj extension and possibly serve evil javascript as html.
For more info see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12137 |
This was fixed in Mailman 2.1.30 by using .bin for the extension, but a bug report was never created.
The issue prior to 2.1.30 was a scrubbed attachment with no extension in it's name would be saved with a .obj extension and some web servers and or browsers would not recognize the .obj extension and possibly serve evil javascript as html.
For more info see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12137 |
|