[Bugs] [Bug 13344] New: [CVE 21] xdg-utils 1.1.3 CVEs found

[bugzilla]

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13344

          Platform: 2021.1
            Bug ID: 13344
           Summary: [CVE 21] xdg-utils 1.1.3  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2020-27748,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: s.matveev на rosalinux.ru, y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package xdg-utils version 1.1.3

INFO (CVEs are): xdg-utils 1.1.3
 cves found
CVE-2020-27748
Desc: A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and
newer. When handling mailto: URIs, xdg-email allows attachments to be
discreetly added via the URI when being passed to Thunderbird. An attacker
could potentially send a victim a URI that automatically attaches a sensitive
file to a new email. If a victim user does not notice that an attachment was
added and sends the email, this could result in sensitive information
disclosure. It has been confirmed that the code behind this issue is in
xdg-email and not in Thunderbird.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-27748
Severity: MEDIUM

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230503/fa7dfb11/attachment.html>