When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.
References
Link | Resource |
---|---|
https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/205#note_1494267 | Exploit Issue Tracking Third Party Advisory |
Configurations
History
26 Nov 2022, 03:18
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-11-19 00:15
Updated : 2024-02-04 23:14
NVD link : CVE-2022-4055
Mitre link : CVE-2022-4055
CVE.ORG link : CVE-2022-4055
JSON object : View
Products Affected
freedesktop
- xdg-utils
CWE
CWE-146
Improper Neutralization of Expression/Command Delimiters