CVE-2020-27748

01.06.2021, 14:15

A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer. When handling mailto: URIs, xdg-email allows attachments to be discreetly added via the URI when being passed to Thunderbird. An attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. It has been confirmed that the code behind this issue is in xdg-email and not in Thunderbird.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
redhat	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 58%

Vendor	Product	Version
freedesktop	xdg-utils	1.1.0 ≤

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

xdg-utils

sid	vulnerable
trixie	vulnerable
bookworm	postponed
bullseye	postponed
buster	postponed
stretch	postponed

Ubuntu Releases

Ubuntu Product

Codename

xdg-utils

groovy	ignored
focal	ignored
bionic	ignored
xenial	ignored
trusty	dne

Known Exploits!

Common Weakness Enumeration

CWE-201 - Insertion of Sensitive Information Into Sent Data
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

References

https://bugzilla.redhat.com/show_bug.cgi?id=1899769

https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177

https://bugzilla.redhat.com/show_bug.cgi?id=1899769

https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177