CVE-2022-4055

CVSS 7.4 HIGHEPSS 0.7%CWE-146

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7.4EPSS 0.7%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

18 Nov 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

Affected products

n/a · xdg-utils

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/205#note_1494267