CVE-2022-4055

HIGH

xdg-mail - Info Disclosure

Title source: llm

Description

When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.

References (1)

[Exploit, Issue Tracking, Third Party Advisory] https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/205#note_1494267

Scores

CVSS v3 7.4

EPSS 0.0004

EPSS Percentile 11.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

Classification

CWE

CWE-146

Status published

Affected Products (1)

freedesktop/xdg-utils < 1.1.3

Timeline

Published Nov 19, 2022

Tracked Since Feb 18, 2026