CVE-2016-7966
Publication date 5 October 2016
Last updated 25 August 2025
Ubuntu priority
Description
Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| kcoreaddons | ||
| 16.04 LTS xenial |
Fixed 5.18.0-0ubuntu1.1
|
|
| 14.04 LTS trusty | Not in release | |
| kdepim | ||
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
|
| kdepimlibs | ||
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Fixed 4:4.13.3-0ubuntu0.4
|
|
| kf5-messagelib | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
Notes
Patch details
| Package | Patch details |
|---|---|
| kcoreaddons | |
| kdepimlibs |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.3 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | Low |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
References
Related Ubuntu Security Notices (USN)
- USN-3100-1
- KDE-PIM Libraries vulnerability
- 12 October 2016