Vulnerability CVE-2016-7966

Vulnerability CVE-2016-7966

Published: 2016-12-23 Modified: 2016-12-24

Description:

Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content.

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score	Impact Subscore	Exploitability Subscore
7.5/10	6.4/10	10/10

Exploit range	Attack complexity	Authentication
Remote	Low	No required
Confidentiality impact	Integrity impact	Availability impact
Partial	Partial	Partial

Affected software
SUSE -> Linux enterprise
KDE -> Kmail
Fedoraproject -> Fedora
Debian -> Debian linux

References:

http://lists.opensuse.org/opensuse-updates/2016-10/msg00065.html

http://www.debian.org/security/2016/dsa-3697

http://www.openwall.com/lists/oss-security/2016/10/05/1

http://www.securityfocus.com/bid/93360

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QNMM5TVPTJQFPJ3YDF4DPXDFW3GQLWLY/

Copyright 2024, cxsecurity.com