Vulnerability CVE-2012-3413


Published: 2012-08-07

Description:
The HTMLQuoteColorer::process function in messageviewer/htmlquotecolorer.cpp in KDE PIM 4.6 through 4.8 does not disable JavaScript, Java, and Plugins, which allows remote attackers to inject arbitrary web script or HTML via a crafted email.

Type:

CWE-16

(Configuration)

Vendor: KDE
Product: Kde pim 
Version: 4.8; 4.6;

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
https://projects.kde.org/projects/kde/kdepim/repository/revisions/dbb2f72f4745e00f53031965a9c10b2d6862bd54
http://www.openwall.com/lists/oss-security/2012/07/17/11
http://www.openwall.com/lists/oss-security/2012/07/16/3
http://www.openwall.com/lists/oss-security/2012/07/13/4
http://www.openwall.com/lists/oss-security/2012/07/13/3
http://ubuntu.com/usn/usn-1512-1
http://secunia.com/advisories/50008
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/084262.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083946.html

Related CVE
CVE-2019-10732
In KDE KMail 5.2.3, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipa...
CVE-2018-19120
The HTML thumbnailer plugin in KDE Applications before 18.12.0 allows attackers to trigger outbound TCP connections to arbitrary IP addresses, leading to disclosure of the source IP address.
CVE-2018-1000801
okular version 18.08 and earlier contains a Directory Traversal vulnerability in function "unpackDocumentArchive(...)" in "core/document.cpp" that can result in Arbitrary file creation on the user workstation. This attack appear to be exploitable via...
CVE-2017-17689
The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL.
CVE-2018-6791
An issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE Plasma Workspace before 5.12.0. When a vfat thumbdrive that contains `` or $() in its volume label is plugged in and mounted through the device notifier, it's interpreted as a sh...
CVE-2018-6790
An issue was discovered in KDE Plasma Workspace before 5.12.0. dataengines/notifications/notificationsengine.cpp allows remote attackers to discover client IP addresses via a URL in a notification, as demonstrated by the src attribute of an IMG eleme...
CVE-2014-8878
KDE KMail does not encrypt attachments in emails when "automatic encryption" is enabled, which allows remote attackers to obtain sensitive information by sniffing the network.
CVE-2015-7543
aRts 1.5.10 and kdelibs3 3.5.10 and earlier do not properly create temporary directories, which allows local users to hijack the IPC by pre-creating the temporary directory.

Copyright 2019, cxsecurity.com

 

Back to Top