VYPR

Mailvelope

by Mailvelope

CVEs (4)

  • CVE-2019-9149MedJul 9, 2019
    risk 0.42cvss 6.5epss 0.01

    Mailvelope prior to 3.3.0 allows private key operations without user interaction via its client-API. By modifying an URL parameter in Mailvelope, an attacker is able to sign (and encrypt) arbitrary messages with Mailvelope, assuming the private key password is cached. A second…

  • CVE-2019-9150MedJul 9, 2019
    risk 0.35cvss 5.3epss 0.01

    Mailvelope prior to 3.3.0 does not require user interaction to import public keys shown on web page. This functionality can be tricked to either hide a key import from the user or obscure which key was imported.

  • CVE-2019-9148MedJul 9, 2019
    risk 0.28cvss 4.3epss 0.01

    Mailvelope prior to 3.3.0 accepts or operates with invalid PGP public keys: Mailvelope allows importing keys that contain users without a valid self-certification. Keys that are obviously invalid are not rejected during import. An attacker that is able to get a victim to import…

  • CVE-2019-9147MedJul 9, 2019
    risk 0.28cvss 4.3epss 0.01

    Mailvelope prior to 3.1.0 is vulnerable to a clickjacking attack against the settings page. As the settings page is intended to be accessible from web applications, the browser's extension isolation mechanisms are disabled (web_accessible_resources). Mailvelope implements…