CVE-2018-20483: Information Leak via Extended Attributes in Wget

Wget stores complete download URLs (including sensitive query parameters) in POSIX extended file attributes when the --xattr flag is used. If a URL contains API tokens, session IDs, or authentication credentials in query parameters, this sensitive information is exposed in world-readable extended attributes that persist with the downloaded file. Any local user with filesystem access can read these attributes using getfattr or similar tools, leading to information disclosure of authentication credentials and sensitive API keys.