CVE-2020-12137: 
Alibaba Cloud Linux (Aliyun Linux) vulnerability analysis and mitigation

GNU Mailman 2.x before 2.1.30 contains a cross-site scripting (XSS) vulnerability identified as CVE-2020-12137. The vulnerability was discovered and reported by Hanno Boeck, with the issue being publicly disclosed in April 2020. The vulnerability affects the web archive functionality of Mailman mailing list manager installations (NVD, Debian Advisory).

The vulnerability stems from Mailman's handling of application/octet-stream MIME parts in attachments. When processing these attachments, Mailman would save them with a .obj extension. Since many web servers don't have a MIME type configured for .obj files, the server would send the content without a MIME type header. This causes web browsers to perform MIME sniffing and potentially interpret the content as HTML if it contains HTML-like content, leading to the execution of embedded JavaScript code (OSS Security). The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

If exploited, this vulnerability could allow attackers to perform XSS attacks against visitors of the list archives. When a user views an archived message containing a specially crafted attachment, malicious JavaScript code could be executed in their browser context, potentially leading to theft of sensitive information or session hijacking (NVD).

The vulnerability was fixed in Mailman version 2.1.30 by changing the extension for scrubbed application/octet-stream MIME parts from .obj to .bin, as .bin files are typically assigned the application/octet-stream MIME type by web servers. Various Linux distributions have backported the fix to their maintained versions, including Ubuntu (1:2.1.26-1ubuntu0.1 for 18.04 LTS), Debian (1:2.1.29-1+deb10u1 for Buster), and Fedora (Ubuntu Advisory, Debian Advisory).