CVE-2022-4055
First published: Sat Nov 19 2022(Updated: )
When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Freedesktop Xdg-utils | >=1.1.0<=1.1.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2022-4055?
CVE-2022-4055 is a vulnerability that occurs when xdg-mail is configured to use thunderbird for mailto URLs, leading to improper parsing of the URL and the inclusion of additional headers in thunderbird.
What is the severity of CVE-2022-4055?
CVE-2022-4055 has a severity of 7.4 (high).
Which software is affected by CVE-2022-4055?
The vulnerability affects Freedesktop Xdg-utils versions 1.1.0 to 1.1.3.
How can an attacker exploit CVE-2022-4055?
An attacker can exploit CVE-2022-4055 by creating a malicious mailto URL that appears safe to users but attaches additional headers in thunderbird.
Is there a fix available for CVE-2022-4055?
Yes, it is recommended to update to a version of Freedesktop Xdg-utils that is not affected (version 1.1.4 or later).
- collector/nvd-index
- agent/references
- agent/severity
- agent/author
- agent/type
- agent/event
- vendor/freedesktop
- canonical/freedesktop xdg-utils
- version/freedesktop xdg-utils/1.1.0
- version/freedesktop xdg-utils/1.1.3