Vendor CVEs
KDE
All CVEs
223 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2009-2896 | 0.03 | — | 0.06 | Aug 20, 2009 | Buffer overflow in KMplayer 2.9.4.1433 and earlier allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a long string in a subtitle (.srt) playlist file. NOTE: some of these details are obtained from third party information. | |||
| CVE-2008-5712 | 0.03 | — | 0.04 | Dec 24, 2008 | The HTML parser in KDE Konqueror 3.5.9 allows remote attackers to cause a denial of service (application crash) via (1) a long COLOR attribute in an HR element; or a long (a) BGCOLOR or (b) BORDERCOLOR attribute in a (2) TABLE, (3) TD, or (4) TR element. NOTE: the FONT vector… | |||
| CVE-2008-5698 | 0.03 | — | 0.03 | Dec 22, 2008 | HTMLTokenizer::scriptHandler in Konqueror in KDE 3.5.9 and 3.5.10 allows remote attackers to cause a denial of service (application crash) via an invalid document.load call that triggers use of a deleted object. NOTE: some of these details are obtained from third party… | |||
| CVE-2007-6000 | 0.03 | — | 0.03 | Nov 15, 2007 | KDE Konqueror 3.5.6 and earlier allows remote attackers to cause a denial of service (crash) via large HTTP cookie parameters. | |||
| CVE-2007-4941 | 0.03 | — | 0.03 | Sep 18, 2007 | KMPlayer 2.9.3.1210 and earlier allows remote attackers to cause a denial of service (CPU consumption) via a .avi file with certain large "indx truck size" and nEntriesInuse values. | |||
| CVE-2007-4229 | 0.03 | — | 0.02 | Aug 8, 2007 | Unspecified vulnerability in KDE Konqueror 3.5.7 and earlier allows remote attackers to cause a denial of service (failed assertion and application crash) via certain malformed HTML, as demonstrated by a document containing TEXTAREA, BUTTON, BR, BDO, PRE, FRAMESET, and A tags. … | |||
| CVE-2007-1564 | 0.03 | — | 0.04 | Mar 21, 2007 | The FTP protocol implementation in Konqueror 3.5.5 allows remote servers to force the client to connect to other servers, perform a proxied port scan, or obtain sensitive information by specifying an alternate server address in an FTP PASV response. | |||
| CVE-2006-7139 | 0.03 | — | 0.03 | Mar 7, 2007 | Kmail 1.9.1 on KDE 3.5.2, with "Prefer HTML to Plain Text" enabled, allows remote attackers to cause a denial of service (crash) via an HTML e-mail with certain table and frameset tags that trigger a segmentation fault, possibly involving invalid free or delete operations. | |||
| CVE-2006-6660 | 0.03 | — | 0.02 | Dec 20, 2006 | The nodeType function in KDE libkhtml 4.2.0 and earlier, as used by Konquerer, KMail, and other programs, allows remote attackers to cause a denial of service (crash) via malformed HTML tags, possibly involving a COL SPAN tag embedded in a RANGE tag. | |||
| CVE-2005-0404 | 0.03 | — | 0.03 | May 2, 2005 | KMail 1.7.1 in KDE 3.3.2 allows remote attackers to spoof email information, such as whether the email has been digitally signed or encrypted, via HTML formatted email. | |||
| CVE-2004-1165 | 0.03 | — | 0.04 | Jan 10, 2005 | Konqueror 3.3.1 allows remote attackers to execute arbitrary FTP commands via an ftp:// URL that contains a URL-encoded newline ("%0a") before the FTP command, which causes the commands to be inserted into the resulting FTP session, as demonstrated using a PORT command. | |||
| CVE-2004-0527 | 0.03 | — | 0.06 | Aug 6, 2004 | KDE Konqueror 2.1.1 and 2.2.2 allows remote attackers to spoof a legitimate URL in the status bar via A HREF tags with modified "alt" values that point to the legitimate site, combined with an image map whose href points to the malicious site, which facilitates a "phishing"… | |||
| CVE-2003-1478 | 0.03 | — | 0.04 | Dec 31, 2003 | Konqueror in KDE 3.0.3 allows remote attackers to cause a denial of service (core dump) via a web page that begins with a "xFFxFE" byte sequence and a large number of CRLF sequences, as demonstrated using freeze.htm. | |||
| CVE-2002-0227 | 0.03 | — | 0.03 | May 16, 2002 | KICQ 2.0.0b1 allows remote attackers to cause a denial of service (crash) via a malformed message. | |||
| CVE-2001-0782 | 0.03 | — | 0.01 | Oct 18, 2001 | KDE ktvision 0.1.1-271 and earlier allows local attackers to gain root privileges via a symlink attack on a user configuration file. | |||
| CVE-2001-0610 | 0.03 | — | 0.01 | Aug 2, 2001 | kfm as included with KDE 1.x can allow a local attacker to gain additional privileges via a symlink attack in the kfm cache directory in /tmp. | |||
| CVE-2000-0530 | 0.03 | — | 0.01 | May 31, 2000 | The KApplication class in the KDE 1.1.2 configuration file management capability allows local users to overwrite arbitrary files. | |||
| CVE-2000-0460 | 0.03 | — | 0.01 | May 27, 2000 | Buffer overflow in KDE kdesud on Linux allows local uses to gain privileges via a long DISPLAY environmental variable. | |||
| CVE-2000-0393 | 0.03 | — | 0.01 | May 16, 2000 | The KDE kscd program does not drop privileges when executing a program specified in a user's SHELL environmental variable, which allows the user to gain privileges by specifying an alternate program to execute. | |||
| CVE-1999-0735 | 0.03 | — | 0.01 | Jan 4, 2000 | KDE K-Mail allows local users to gain privileges via a symlink attack in temporary user directories. | |||
| CVE-2020-24972 | 0.02 | — | 0.05 | Aug 29, 2020 | The Kleopatra component before 3.1.12 (and before 20.07.80) for GnuPG allows remote attackers to execute arbitrary code because openpgp4fpr: URLs are supported without safe handling of command-line options. The Qt platformpluginpath command-line option can be used to load an… | |||
| CVE-2005-2971 | 0.01 | — | 0.06 | Oct 20, 2005 | Heap-based buffer overflow in the KWord RTF importer for KOffice 1.2.0 through 1.4.1 allows remote attackers to execute arbitrary code via a crafted RTF file. | |||
| CVE-2004-0888 | 0.01 | — | 0.09 | Jan 27, 2005 | Multiple integer overflows in xpdf 2.0 and 3.0, and other packages that use xpdf code such as CUPS, gpdf, and kdegraphics, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, a different set of vulnerabilities than those identified by… | |||
| CVE-2004-1125 | 0.01 | — | 0.07 | Jan 10, 2005 | Buffer overflow in the Gfx::doImage function in Gfx.cc for xpdf 3.00, and other products that share code such as tetex-bin and kpdf in KDE 3.2.x to 3.2.3 and 3.3.x to 3.3.2, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary… | |||
| CVE-2004-0867 | 0.01 | — | 0.17 | Dec 23, 2004 | Mozilla Firefox 0.9.2 allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk, and .sch.uk, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session. NOTE: it was later reported that 2.x is… | |||
| CVE-2004-0803 | 0.01 | — | 0.08 | Dec 23, 2004 | Multiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary code via TIFF files. | |||
| CVE-2004-0866 | 0.01 | — | 0.10 | Sep 16, 2004 | Internet Explorer 6.0 allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk, and .sch.uk, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session. | |||
| CVE-2004-0411 | 0.01 | — | 0.08 | Jul 7, 2004 | The URI handlers in Konqueror for KDE 3.2.2 and earlier do not properly filter "-" characters that begin a hostname in a (1) telnet, (2) rlogin, (3) ssh, or (4) mailto URI, which allows remote attackers to manipulate the options that are passed to the associated programs,… | |||
| CVE-2024-36041 | 0.00 | — | 0.00 | Jul 5, 2024 | KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5.27.11.1 and 6.x before 6.0.5.1 allows connections via ICE based purely on the host, i.e., all local connections are accepted. This allows another user on the same machine to gain access to the session manager,… | |||
| CVE-2024-1433 | 0.00 | — | 0.01 | Feb 11, 2024 | A vulnerability, which was classified as problematic, was found in KDE Plasma Workspace up to 5.93.0. This affects the function EventPluginsManager::enabledPlugins of the file components/calendar/eventpluginsmanager.cpp of the component Theme File Handler. The manipulation of… | |||
| CVE-2022-28223 | 0.00 | — | 0.01 | Mar 30, 2022 | Tekon KIO devices through 2022-03-30 allow an authenticated admin user to escalate privileges to root by uploading a malicious Lua plugin. | |||
| CVE-2022-24986 | 0.00 | — | 0.00 | Feb 26, 2022 | KDE KCron through 21.12.2 uses a temporary file in /tmp when saving, but reuses the filename during an editing session. Thus, someone watching it be created the first time could potentially intercept the file the following time, enabling that person to run unauthorized commands. | |||
| CVE-2022-23853 | 0.00 | — | 0.01 | Feb 11, 2022 | The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2 and KTextEditor before 5.91.0 tries to execute the associated LSP server binary when opening a file of a given type. If this binary is absent from the PATH, it will try running the LSP server binary in the… | |||
| CVE-2021-38373 | 0.00 | — | 0.01 | Aug 10, 2021 | In KDE KMail 19.12.3 (aka 5.13.3), the SMTP STARTTLS option is not honored (and cleartext messages are sent) unless "Server requires authentication" is checked. | |||
| CVE-2021-36083 | 0.00 | — | 0.01 | Jul 1, 2021 | KDE KImageFormats 5.70.0 through 5.81.0 has a stack-based buffer overflow in XCFImageFormat::loadTileRLE. | |||
| CVE-2021-31855 | 0.00 | — | 0.01 | Jun 2, 2021 | KDE Messagelib through 5.17.0 reveals cleartext of encrypted messages in some situations. Deleting an attachment of a decrypted encrypted message stored on a remote server (e.g., an IMAP server) causes KMail to upload the decrypted content of the message to the remote server.… | |||
| CVE-2021-33204 | 0.00 | — | 0.02 | May 19, 2021 | In the pg_partman (aka PG Partition Manager) extension before 4.5.1 for PostgreSQL, arbitrary code execution can be achieved via SECURITY DEFINER functions because an explicit search_path is not set. | |||
| CVE-2020-27187 | 0.00 | — | 0.00 | Oct 26, 2020 | An issue was discovered in KDE Partition Manager 4.1.0 before 4.2.0. The kpmcore_externalcommand helper contains a logic flaw in which the service invoking D-Bus is not properly checked. An attacker on the local machine can replace /etc/fstab, and execute mount and other… | |||
| CVE-2020-26164 | 0.00 | — | 0.01 | Oct 7, 2020 | In kdeconnect-kde (aka KDE Connect) before 20.08.2, an attacker on the local network could send crafted packets that trigger use of large amounts of CPU, memory, or network connection slots, aka a Denial of Service attack. | |||
| CVE-2020-24654 | 0.00 | — | 0.01 | Sep 2, 2020 | In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user's home directory. | |||
| CVE-2020-16116 | 0.00 | — | 0.02 | Aug 3, 2020 | In kerfuffle/jobs.cpp in KDE Ark before 20.08.0, a crafted archive can install files outside the extraction directory via ../ directory traversal. | |||
| CVE-2020-15954 | 0.00 | — | 0.01 | Jul 27, 2020 | KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 communication during times when the UI indicates that encryption is in use. | |||
| CVE-2020-12755 | 0.00 | — | 0.00 | May 9, 2020 | fishProtocol::establishConnection in fish/fish.cpp in KDE kio-extras through 20.04.0 makes a cacheAuthentication call even if the user had not set the keepPassword option. This may lead to unintended KWallet storage of a password. | |||
| CVE-2020-11880 | 0.00 | — | 0.01 | Apr 17, 2020 | An issue was discovered in KDE KMail before 19.12.3. By using the proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or other source of mailto links) can make KMail attach local files to a composed email message without showing a warning to the user, as… | |||
| CVE-2020-9359 | 0.00 | — | 0.01 | Mar 24, 2020 | KDE Okular before 1.10.0 allows code execution via an action link in a PDF document. | |||
| CVE-2018-19516 | 0.00 | — | 0.01 | Mar 12, 2020 | messagepartthemes/default/defaultrenderer.cpp in messagelib in KDE Applications before 18.12.0 does not properly restrict the handling of an http-equiv="REFRESH" value. | |||
| CVE-2013-2213 | 0.00 | — | 0.00 | Feb 11, 2020 | The KRandom::random function in KDE Paste Applet after 4.10.5 in kdeplasma-addons uses the GNU C Library rand function's linear congruential generator, which makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms by predicting the generator… | |||
| CVE-2013-2120 | 0.00 | — | 0.01 | Feb 11, 2020 | The %{password(...)} macro in pastemacroexpander.cpp in the KDE Paste Applet before 4.10.5 in kdeplasma-addons does not properly generate passwords, which allows context-dependent attackers to bypass authentication via a brute-force attack. | |||
| CVE-2013-4133 | 0.00 | — | 0.03 | Dec 10, 2019 | kde-workspace before 4.10.5 has a memory leak in plasma desktop | |||
| CVE-2019-14744 | 0.00 | — | 0.04 | Aug 7, 2019 | In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon… |
- CVE-2009-2896Aug 20, 2009risk 0.03cvss —epss 0.06
Buffer overflow in KMplayer 2.9.4.1433 and earlier allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a long string in a subtitle (.srt) playlist file. NOTE: some of these details are obtained from third party information.
- CVE-2008-5712Dec 24, 2008risk 0.03cvss —epss 0.04
The HTML parser in KDE Konqueror 3.5.9 allows remote attackers to cause a denial of service (application crash) via (1) a long COLOR attribute in an HR element; or a long (a) BGCOLOR or (b) BORDERCOLOR attribute in a (2) TABLE, (3) TD, or (4) TR element. NOTE: the FONT vector…
- CVE-2008-5698Dec 22, 2008risk 0.03cvss —epss 0.03
HTMLTokenizer::scriptHandler in Konqueror in KDE 3.5.9 and 3.5.10 allows remote attackers to cause a denial of service (application crash) via an invalid document.load call that triggers use of a deleted object. NOTE: some of these details are obtained from third party…
- CVE-2007-6000Nov 15, 2007risk 0.03cvss —epss 0.03
KDE Konqueror 3.5.6 and earlier allows remote attackers to cause a denial of service (crash) via large HTTP cookie parameters.
- CVE-2007-4941Sep 18, 2007risk 0.03cvss —epss 0.03
KMPlayer 2.9.3.1210 and earlier allows remote attackers to cause a denial of service (CPU consumption) via a .avi file with certain large "indx truck size" and nEntriesInuse values.
- CVE-2007-4229Aug 8, 2007risk 0.03cvss —epss 0.02
Unspecified vulnerability in KDE Konqueror 3.5.7 and earlier allows remote attackers to cause a denial of service (failed assertion and application crash) via certain malformed HTML, as demonstrated by a document containing TEXTAREA, BUTTON, BR, BDO, PRE, FRAMESET, and A tags. …
- CVE-2007-1564Mar 21, 2007risk 0.03cvss —epss 0.04
The FTP protocol implementation in Konqueror 3.5.5 allows remote servers to force the client to connect to other servers, perform a proxied port scan, or obtain sensitive information by specifying an alternate server address in an FTP PASV response.
- CVE-2006-7139Mar 7, 2007risk 0.03cvss —epss 0.03
Kmail 1.9.1 on KDE 3.5.2, with "Prefer HTML to Plain Text" enabled, allows remote attackers to cause a denial of service (crash) via an HTML e-mail with certain table and frameset tags that trigger a segmentation fault, possibly involving invalid free or delete operations.
- CVE-2006-6660Dec 20, 2006risk 0.03cvss —epss 0.02
The nodeType function in KDE libkhtml 4.2.0 and earlier, as used by Konquerer, KMail, and other programs, allows remote attackers to cause a denial of service (crash) via malformed HTML tags, possibly involving a COL SPAN tag embedded in a RANGE tag.
- CVE-2005-0404May 2, 2005risk 0.03cvss —epss 0.03
KMail 1.7.1 in KDE 3.3.2 allows remote attackers to spoof email information, such as whether the email has been digitally signed or encrypted, via HTML formatted email.
- CVE-2004-1165Jan 10, 2005risk 0.03cvss —epss 0.04
Konqueror 3.3.1 allows remote attackers to execute arbitrary FTP commands via an ftp:// URL that contains a URL-encoded newline ("%0a") before the FTP command, which causes the commands to be inserted into the resulting FTP session, as demonstrated using a PORT command.
- CVE-2004-0527Aug 6, 2004risk 0.03cvss —epss 0.06
KDE Konqueror 2.1.1 and 2.2.2 allows remote attackers to spoof a legitimate URL in the status bar via A HREF tags with modified "alt" values that point to the legitimate site, combined with an image map whose href points to the malicious site, which facilitates a "phishing"…
- CVE-2003-1478Dec 31, 2003risk 0.03cvss —epss 0.04
Konqueror in KDE 3.0.3 allows remote attackers to cause a denial of service (core dump) via a web page that begins with a "xFFxFE" byte sequence and a large number of CRLF sequences, as demonstrated using freeze.htm.
- CVE-2002-0227May 16, 2002risk 0.03cvss —epss 0.03
KICQ 2.0.0b1 allows remote attackers to cause a denial of service (crash) via a malformed message.
- CVE-2001-0782Oct 18, 2001risk 0.03cvss —epss 0.01
KDE ktvision 0.1.1-271 and earlier allows local attackers to gain root privileges via a symlink attack on a user configuration file.
- CVE-2001-0610Aug 2, 2001risk 0.03cvss —epss 0.01
kfm as included with KDE 1.x can allow a local attacker to gain additional privileges via a symlink attack in the kfm cache directory in /tmp.
- CVE-2000-0530May 31, 2000risk 0.03cvss —epss 0.01
The KApplication class in the KDE 1.1.2 configuration file management capability allows local users to overwrite arbitrary files.
- CVE-2000-0460May 27, 2000risk 0.03cvss —epss 0.01
Buffer overflow in KDE kdesud on Linux allows local uses to gain privileges via a long DISPLAY environmental variable.
- CVE-2000-0393May 16, 2000risk 0.03cvss —epss 0.01
The KDE kscd program does not drop privileges when executing a program specified in a user's SHELL environmental variable, which allows the user to gain privileges by specifying an alternate program to execute.
- CVE-1999-0735Jan 4, 2000risk 0.03cvss —epss 0.01
KDE K-Mail allows local users to gain privileges via a symlink attack in temporary user directories.
- CVE-2020-24972Aug 29, 2020risk 0.02cvss —epss 0.05
The Kleopatra component before 3.1.12 (and before 20.07.80) for GnuPG allows remote attackers to execute arbitrary code because openpgp4fpr: URLs are supported without safe handling of command-line options. The Qt platformpluginpath command-line option can be used to load an…
- CVE-2005-2971Oct 20, 2005risk 0.01cvss —epss 0.06
Heap-based buffer overflow in the KWord RTF importer for KOffice 1.2.0 through 1.4.1 allows remote attackers to execute arbitrary code via a crafted RTF file.
- CVE-2004-0888Jan 27, 2005risk 0.01cvss —epss 0.09
Multiple integer overflows in xpdf 2.0 and 3.0, and other packages that use xpdf code such as CUPS, gpdf, and kdegraphics, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, a different set of vulnerabilities than those identified by…
- CVE-2004-1125Jan 10, 2005risk 0.01cvss —epss 0.07
Buffer overflow in the Gfx::doImage function in Gfx.cc for xpdf 3.00, and other products that share code such as tetex-bin and kpdf in KDE 3.2.x to 3.2.3 and 3.3.x to 3.3.2, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary…
- CVE-2004-0867Dec 23, 2004risk 0.01cvss —epss 0.17
Mozilla Firefox 0.9.2 allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk, and .sch.uk, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session. NOTE: it was later reported that 2.x is…
- CVE-2004-0803Dec 23, 2004risk 0.01cvss —epss 0.08
Multiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary code via TIFF files.
- CVE-2004-0866Sep 16, 2004risk 0.01cvss —epss 0.10
Internet Explorer 6.0 allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk, and .sch.uk, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session.
- CVE-2004-0411Jul 7, 2004risk 0.01cvss —epss 0.08
The URI handlers in Konqueror for KDE 3.2.2 and earlier do not properly filter "-" characters that begin a hostname in a (1) telnet, (2) rlogin, (3) ssh, or (4) mailto URI, which allows remote attackers to manipulate the options that are passed to the associated programs,…
- CVE-2024-36041Jul 5, 2024risk 0.00cvss —epss 0.00
KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5.27.11.1 and 6.x before 6.0.5.1 allows connections via ICE based purely on the host, i.e., all local connections are accepted. This allows another user on the same machine to gain access to the session manager,…
- CVE-2024-1433Feb 11, 2024risk 0.00cvss —epss 0.01
A vulnerability, which was classified as problematic, was found in KDE Plasma Workspace up to 5.93.0. This affects the function EventPluginsManager::enabledPlugins of the file components/calendar/eventpluginsmanager.cpp of the component Theme File Handler. The manipulation of…
- CVE-2022-28223Mar 30, 2022risk 0.00cvss —epss 0.01
Tekon KIO devices through 2022-03-30 allow an authenticated admin user to escalate privileges to root by uploading a malicious Lua plugin.
- CVE-2022-24986Feb 26, 2022risk 0.00cvss —epss 0.00
KDE KCron through 21.12.2 uses a temporary file in /tmp when saving, but reuses the filename during an editing session. Thus, someone watching it be created the first time could potentially intercept the file the following time, enabling that person to run unauthorized commands.
- CVE-2022-23853Feb 11, 2022risk 0.00cvss —epss 0.01
The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2 and KTextEditor before 5.91.0 tries to execute the associated LSP server binary when opening a file of a given type. If this binary is absent from the PATH, it will try running the LSP server binary in the…
- CVE-2021-38373Aug 10, 2021risk 0.00cvss —epss 0.01
In KDE KMail 19.12.3 (aka 5.13.3), the SMTP STARTTLS option is not honored (and cleartext messages are sent) unless "Server requires authentication" is checked.
- CVE-2021-36083Jul 1, 2021risk 0.00cvss —epss 0.01
KDE KImageFormats 5.70.0 through 5.81.0 has a stack-based buffer overflow in XCFImageFormat::loadTileRLE.
- CVE-2021-31855Jun 2, 2021risk 0.00cvss —epss 0.01
KDE Messagelib through 5.17.0 reveals cleartext of encrypted messages in some situations. Deleting an attachment of a decrypted encrypted message stored on a remote server (e.g., an IMAP server) causes KMail to upload the decrypted content of the message to the remote server.…
- CVE-2021-33204May 19, 2021risk 0.00cvss —epss 0.02
In the pg_partman (aka PG Partition Manager) extension before 4.5.1 for PostgreSQL, arbitrary code execution can be achieved via SECURITY DEFINER functions because an explicit search_path is not set.
- CVE-2020-27187Oct 26, 2020risk 0.00cvss —epss 0.00
An issue was discovered in KDE Partition Manager 4.1.0 before 4.2.0. The kpmcore_externalcommand helper contains a logic flaw in which the service invoking D-Bus is not properly checked. An attacker on the local machine can replace /etc/fstab, and execute mount and other…
- CVE-2020-26164Oct 7, 2020risk 0.00cvss —epss 0.01
In kdeconnect-kde (aka KDE Connect) before 20.08.2, an attacker on the local network could send crafted packets that trigger use of large amounts of CPU, memory, or network connection slots, aka a Denial of Service attack.
- CVE-2020-24654Sep 2, 2020risk 0.00cvss —epss 0.01
In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user's home directory.
- CVE-2020-16116Aug 3, 2020risk 0.00cvss —epss 0.02
In kerfuffle/jobs.cpp in KDE Ark before 20.08.0, a crafted archive can install files outside the extraction directory via ../ directory traversal.
- CVE-2020-15954Jul 27, 2020risk 0.00cvss —epss 0.01
KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 communication during times when the UI indicates that encryption is in use.
- CVE-2020-12755May 9, 2020risk 0.00cvss —epss 0.00
fishProtocol::establishConnection in fish/fish.cpp in KDE kio-extras through 20.04.0 makes a cacheAuthentication call even if the user had not set the keepPassword option. This may lead to unintended KWallet storage of a password.
- CVE-2020-11880Apr 17, 2020risk 0.00cvss —epss 0.01
An issue was discovered in KDE KMail before 19.12.3. By using the proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or other source of mailto links) can make KMail attach local files to a composed email message without showing a warning to the user, as…
- CVE-2020-9359Mar 24, 2020risk 0.00cvss —epss 0.01
KDE Okular before 1.10.0 allows code execution via an action link in a PDF document.
- CVE-2018-19516Mar 12, 2020risk 0.00cvss —epss 0.01
messagepartthemes/default/defaultrenderer.cpp in messagelib in KDE Applications before 18.12.0 does not properly restrict the handling of an http-equiv="REFRESH" value.
- CVE-2013-2213Feb 11, 2020risk 0.00cvss —epss 0.00
The KRandom::random function in KDE Paste Applet after 4.10.5 in kdeplasma-addons uses the GNU C Library rand function's linear congruential generator, which makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms by predicting the generator…
- CVE-2013-2120Feb 11, 2020risk 0.00cvss —epss 0.01
The %{password(...)} macro in pastemacroexpander.cpp in the KDE Paste Applet before 4.10.5 in kdeplasma-addons does not properly generate passwords, which allows context-dependent attackers to bypass authentication via a brute-force attack.
- CVE-2013-4133Dec 10, 2019risk 0.00cvss —epss 0.03
kde-workspace before 4.10.5 has a memory leak in plasma desktop
- CVE-2019-14744Aug 7, 2019risk 0.00cvss —epss 0.04
In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon…
Page 2 of 5