Kmail
Sign in to watchby KDE
CVEs (5)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2016-7967 | Hig | 0.53 | 8.1 | 0.00 | Dec 23, 2016 | KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled. | |
| CVE-2017-9604 | Hig | 0.49 | 7.5 | 0.00 | Jun 13, 2017 | KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE Applications before 17.04.2, do not ensure that a plugin's sign/encrypt action occurs during use of the Send Later feature, which allows remote attackers to obtain sensitive information by sniffing the network. | |
| CVE-2016-7966 | Hig | 0.47 | 7.3 | 0.00 | Dec 23, 2016 | Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content. | |
| CVE-2016-7968 | Med | 0.42 | 6.5 | 0.00 | Dec 23, 2016 | KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. HTML Mail contents were not sanitized for JavaScript and included code was executed. | |
| CVE-2014-8878 | Med | 0.38 | 5.9 | 0.00 | Sep 28, 2017 | KDE KMail does not encrypt attachments in emails when "automatic encryption" is enabled, which allows remote attackers to obtain sensitive information by sniffing the network. |