CVE-2020-27748

Name of the Vulnerable Software and Affected Versions xdg-utils versions 1.1.0-rc1 and newer

Description A flaw was found in the xdg-email component. When handling mailto: URIs, xdg-email allows attachments to be discreetly added via the URI when being passed to Thunderbird. An attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure.

Recommendations For xdg-utils versions 1.1.0-rc1 and newer, consider disabling the handling of mailto: URIs in the xdg-email component until a patch is available. Restrict access to sensitive files to minimize the risk of exploitation. Avoid using the xdg-email component to handle mailto: URIs that may include attachments until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.