CVE-2020-27748
CVE-2020-27748
In short
A flaw in xdg-email allows attackers to secretly add file attachments to emails through specially crafted mailto: links. If a user clicks such a link and sends the email without noticing the hidden attachment, sensitive files could be unintentionally disclosed.
Technical detail
xdg-email improperly handles mailto: URIs by allowing arbitrary file attachments to be injected via URI parameters when launching Thunderbird. An attacker can craft a malicious mailto: link that, when clicked by a user, silently attaches sensitive files to a new email draft, potentially leading to information disclosure if the user sends the email without verifying the attachment list.
Summary generated and translated by AI from the official description.
A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer. When handling mailto: URIs, xdg-email allows attachments to be discreetly added via the URI when being passed to Thunderbird. An attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. It has been confirmed that the code behind this issue is in xdg-email and not in Thunderbird.
Affected products
n/a · xdg-utilsWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →