This was fixed in Mailman 2.1.30 by using .bin for the extension, but a bug report was never created.
The issue prior to 2.1.30 was a scrubbed attachment with no extion in it's name would be saved with a .obj extension and some web servers and or browsers would not recognize the .obj extension and possibly serve evil javascript as html.
This was fixed in Mailman 2.1.30 by using .bin for the extension, but a bug report was never created.
The issue prior to 2.1.30 was a scrubbed attachment with no extion in it's name would be saved with a .obj extension and some web servers and or browsers would not recognize the .obj extension and possibly serve evil javascript as html.
For more info see https:/ /cve.mitre. org/cgi- bin/cvename. cgi?name= CVE-2020- 12137