First published: Sat Nov 19 2022(Updated: )
When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Freedesktop Xdg-utils | >=1.1.0<=1.1.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-4055 is a vulnerability that occurs when xdg-mail is configured to use thunderbird for mailto URLs, leading to improper parsing of the URL and the inclusion of additional headers in thunderbird.
CVE-2022-4055 has a severity of 7.4 (high).
The vulnerability affects Freedesktop Xdg-utils versions 1.1.0 to 1.1.3.
An attacker can exploit CVE-2022-4055 by creating a malicious mailto URL that appears safe to users but attaches additional headers in thunderbird.
Yes, it is recommended to update to a version of Freedesktop Xdg-utils that is not affected (version 1.1.4 or later).