Attachment Exposure Vulnerability in xdg-email Component of xdg-utils
CVE-2020-27748

6.5MEDIUM

Key Information:

Vendor: Freedesktop
Status: Xdg-utils
Vendor: CVE Published:; 1 June 2021

🔔 Create Freedesktop Vulnerability Alert

What is CVE-2020-27748?

A vulnerability has been discovered in the xdg-email component of xdg-utils, affecting versions 1.1.0-rc1 and later. This flaw enables the addition of attachments through mailto: URIs sent to users of email clients like Thunderbird. If a user executes a link containing such a malicious URI without realizing it, an attachment could be automatically included in their email, leading to potential unintentional disclosure of sensitive information. This issue specifically resides in the xdg-email code, separate from Thunderbird's own functionalities.

Affected Version(s)

xdg-utils xdg-utils-1.1.0-rc1

References

https://bugzilla.redhat.com/show_bug.cgi?id=1899769

x_refsource_MISC

https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2021
Vulnerability Reserved
Oct 27, 2020