First published: Fri Nov 20 2020(Updated: )
A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer. When handling mailto: URIs, xdg-email allows attachments to be discreetly added via the URI when being passed to Thunderbird. An attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. It has been confirmed that the code behind this issue is in xdg-email and not in Thunderbird.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Freedesktop Xdg-utils | >=1.1.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2020-27748 is medium.
The affected software for CVE-2020-27748 is xdg-utils version 1.1.0 and newer.
CVE-2020-27748 allows attachments to be discreetly added via the URI when being passed to Thunderbird.
Yes, there are known references for CVE-2020-27748 which can be found at the following links: - [https://bugzilla.mozilla.org/show_bug.cgi?id=1613425](https://bugzilla.mozilla.org/show_bug.cgi?id=1613425) - [https://gitlab.freedesktop.org/Mic92/xdg-utils/-/commit/1f199813e0eb0246f63b54e9e154970e609575af](https://gitlab.freedesktop.org/Mic92/xdg-utils/-/commit/1f199813e0eb0246f63b54e9e154970e609575af) - [https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177](https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177)
The CWE for CVE-2020-27748 is CWE-201.