[Bug 1631237] [NEW] KMail: HTML injection in plain text viewer
Scott Kitterman
ubuntu at kitterman.com
Fri Oct 7 03:58:18 UTC 2016
*** This bug is a security vulnerability ***
Public security bug reported:
Through a malicious URL that contained a quote character it
was possible to inject HTML code in KMail's plain text viewer.
Due to the parser used on the URL it was not possible to include
the equal sign (=) or a space into the injected HTML, which greatly
reduces the available HTML functionality. Although it is possible
to include an HTML comment indicator to hide content.
Note: Affected package is kdepimlibs in 12.04 - 15.04 and it looks like
both kcoreaddons and messagecomposer in later releases.
** Affects: kdepimlibs (Ubuntu)
Importance: High
Status: Triaged
--
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to kdepimlibs in Ubuntu.
https://bugs.launchpad.net/bugs/1631237
Title:
KMail: HTML injection in plain text viewer
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kdepimlibs/+bug/1631237/+subscriptions
More information about the kubuntu-bugs
mailing list