CVE-2020-27748

EUVD-2020-20252

01.06.2021, 14:15

A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer. When handling mailto: URIs, xdg-email allows attachments to be discreetly added via the URI when being passed to Thunderbird. An attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. It has been confirmed that the code behind this issue is in xdg-email and not in Thunderbird.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 64%

Affected Products (NVD)

Vendor	Product	Version
freedesktop	xdg-utils	1.1.0 ≤

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

xdg-utils

bookworm	postponed
bullseye	postponed
buster	postponed
sid	vulnerable
stretch	postponed
trixie	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

xdg-utils

bionic	ignored
focal	ignored
groovy	ignored
trusty	dne
xenial	ignored

Known Exploits!

Common Weakness Enumeration

CWE-201 - Insertion of Sensitive Information Into Sent Data
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

References

https://bugzilla.redhat.com/show_bug.cgi?id=1899769

https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177

https://bugzilla.redhat.com/show_bug.cgi?id=1899769

https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177