CVE-2022-4055

When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/205#note_1494267	Exploit Issue Tracking Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:freedesktop:xdg-utils:*:*:*:*:*:*:*:*

History

26 Nov 2022, 03:18

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.4
CPE		cpe:2.3:a:freedesktop:xdg-utils::::::::
First Time		Freedesktop Freedesktop xdg-utils
References	~~(MISC) https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/205#note_1494267 -~~	(MISC) https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/205#note_1494267 - Exploit, Issue Tracking, Third Party Advisory

19 Nov 2022, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-11-19 00:15

Updated : 2023-12-10 14:48

NVD link : CVE-2022-4055

Mitre link : CVE-2022-4055

CVE.ORG link : CVE-2022-4055

JSON object : View

Products Affected

freedesktop

xdg-utils

CWE

CWE-146

Improper Neutralization of Expression/Command Delimiters

7.4 /10