Search CVE reports
1 – 8 of 8 results
KDE Messagelib through 5.17.0 reveals cleartext of encrypted messages in some situations. Deleting an attachment of a decrypted encrypted message stored on a remote server (e.g., an IMAP server) causes KMail to upload...
2 affected packages
kdepim4, kf5-messagelib
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| kdepim4 | Not in release | Not in release | Not in release | Needs evaluation |
| kf5-messagelib | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
In KDE KMail 5.2.3, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters....
3 affected packages
kmail, kdepim, kf5-messagelib
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| kmail | Not affected | Not affected | Not affected | Not affected |
| kdepim | Not in release | Not in release | Not in release | Not in release |
| kf5-messagelib | Not affected | Not affected | Not affected | Vulnerable |
messagepartthemes/default/defaultrenderer.cpp in messagelib in KDE Applications before 18.12.0 does not properly restrict the handling of an http-equiv="REFRESH" value.
1 affected package
kf5-messagelib
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| kf5-messagelib | Not affected | Vulnerable | Vulnerable | Vulnerable |
Some fixes available 3 of 7
KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE Applications before 17.04.2, do not ensure that a plugin's sign/encrypt action occurs during use of the Send Later feature, which allows remote attackers to...
2 affected packages
kdepim, kf5-messagelib
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| kdepim | — | — | — | — |
| kf5-messagelib | — | — | — | — |
Some fixes available 18 of 34
The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL.
5 affected packages
kmail, thunderbird, evolution, kf5-messagelib, kdepim
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| kmail | Not affected | Not affected | Not affected | Vulnerable |
| thunderbird | Fixed | Fixed | Fixed | Fixed |
| evolution | Not affected | Not affected | Not affected | Not affected |
| kf5-messagelib | Not affected | Not affected | Not affected | Vulnerable |
| kdepim | Not in release | Not in release | — | — |
KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. HTML Mail contents were not sanitized for JavaScript and included code was executed.
2 affected packages
kdepim, kf5-messagelib
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| kdepim | — | — | — | — |
| kf5-messagelib | — | — | — | — |
KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled.
2 affected packages
kdepim, kf5-messagelib
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| kdepim | — | — | — | — |
| kf5-messagelib | — | — | — | — |
Some fixes available 5 of 6
Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into...
4 affected packages
kcoreaddons, kdepim, kdepimlibs, kf5-messagelib
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| kcoreaddons | — | — | — | — |
| kdepim | — | — | — | — |
| kdepimlibs | — | — | — | — |
| kf5-messagelib | — | — | — | — |