Search CVE reports
1 – 10 of 15 results
ispdbservice.cpp in KDE Kmail before 6.2.0 allows man-in-the-middle attackers to trigger use of an attacker-controlled mail server because cleartext HTTP is used for a URL such as http://autoconfig.example.com...
3 affected packages
kmail, kmail-account-wizard, kdepim
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| kmail | Not affected | Not affected | Not affected | Not affected |
| kmail-account-wizard | Vulnerable | Vulnerable | Vulnerable | Vulnerable |
| kdepim | Not in release | Not in release | — | — |
KDE Messagelib through 5.17.0 reveals cleartext of encrypted messages in some situations. Deleting an attachment of a decrypted encrypted message stored on a remote server (e.g., an IMAP server) causes KMail to upload...
2 affected packages
kdepim4, kf5-messagelib
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| kdepim4 | Not in release | Not in release | Not in release | Needs evaluation |
| kf5-messagelib | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 communication during times when the UI indicates that encryption is in use.
2 affected packages
kdepim-runtime, kmail-account-wizard
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| kdepim-runtime | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| kmail-account-wizard | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
An issue was discovered in KDE KMail before 19.12.3. By using the proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or other source of mailto links) can make KMail attach local files to a composed email message...
2 affected packages
kdepim, kmail
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| kdepim | Not in release | Not in release | Not in release | Not in release |
| kmail | Not affected | Not affected | Vulnerable | Vulnerable |
In KDE KMail 5.2.3, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters....
3 affected packages
kmail, kdepim, kf5-messagelib
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| kmail | Not affected | Not affected | Not affected | Not affected |
| kdepim | Not in release | Not in release | Not in release | Not in release |
| kf5-messagelib | Not affected | Not affected | Not affected | Vulnerable |
Some fixes available 3 of 7
KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE Applications before 17.04.2, do not ensure that a plugin's sign/encrypt action occurs during use of the Send Later feature, which allows remote attackers to...
2 affected packages
kdepim, kf5-messagelib
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| kdepim | — | — | — | — |
| kf5-messagelib | — | — | — | — |
Some fixes available 18 of 34
The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL.
5 affected packages
kmail, thunderbird, evolution, kf5-messagelib, kdepim
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| kmail | Not affected | Not affected | Not affected | Vulnerable |
| thunderbird | Fixed | Fixed | Fixed | Fixed |
| evolution | Not affected | Not affected | Not affected | Not affected |
| kf5-messagelib | Not affected | Not affected | Not affected | Vulnerable |
| kdepim | Not in release | Not in release | — | — |
KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. HTML Mail contents were not sanitized for JavaScript and included code was executed.
2 affected packages
kdepim, kf5-messagelib
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| kdepim | — | — | — | — |
| kf5-messagelib | — | — | — | — |
KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled.
2 affected packages
kdepim, kf5-messagelib
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| kdepim | — | — | — | — |
| kf5-messagelib | — | — | — | — |
Some fixes available 5 of 6
Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into...
4 affected packages
kcoreaddons, kdepim, kdepimlibs, kf5-messagelib
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| kcoreaddons | — | — | — | — |
| kdepim | — | — | — | — |
| kdepimlibs | — | — | — | — |
| kf5-messagelib | — | — | — | — |