Improper URL Parsing in Mailto Implementation Affects XDG Utils by FreeDesktop
CVE-2022-4055

7.4HIGH

Key Information:

Vendor: Freedesktop
Status: Xdg-utils
Vendor: CVE Published:; 19 November 2022

🔔 Create Freedesktop Vulnerability Alert

What is CVE-2022-4055?

The improper parsing of mailto URLs in XDG Utils can permit an attacker to craft a deceptive URL that appears legitimate to users. When combined with Thunderbird as the configured mail client, additional headers may be unintentionally included that allow the attachment of files without the user's awareness. This behavior contradicts the standards outlined in RFC 2368, posing risks to user security and privacy.

Affected Version(s)

xdg-utils xdg-utils 1.1.0 to and including 1.1.3

References

https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/205...

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 19, 2022
Vulnerability Reserved
Nov 17, 2022

JSON