Kde

Kmail

11 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.9

CVE-2024-50624

  • EPSS 0.03%
  • Veröffentlicht 28.10.2024 00:15:03
  • Zuletzt bearbeitet 31.05.2025 08:15:19

ispdbservice.cpp in KDE Kmail before 6.2.0 allows man-in-the-middle attackers to trigger use of an attacker-controlled mail server because cleartext HTTP is used for a URL such as http://autoconfig.example.com or http://example.com/.well-known/autoco...

5.3

CVE-2021-38373

  • EPSS 0.16%
  • Veröffentlicht 10.08.2021 15:15:08
  • Zuletzt bearbeitet 21.11.2024 06:16:55

In KDE KMail 19.12.3 (aka 5.13.3), the SMTP STARTTLS option is not honored (and cleartext messages are sent) unless "Server requires authentication" is checked.

6.5

CVE-2020-15954

  • EPSS 0.14%
  • Veröffentlicht 27.07.2020 07:15:11
  • Zuletzt bearbeitet 21.11.2024 05:06:31

KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 communication during times when the UI indicates that encryption is in use.

6.5

CVE-2020-11880

  • EPSS 0.37%
  • Veröffentlicht 17.04.2020 18:15:11
  • Zuletzt bearbeitet 21.11.2024 04:58:48

An issue was discovered in KDE KMail before 19.12.3. By using the proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or other source of mailto links) can make KMail attach local files to a composed email message without showing a war...

4.3

CVE-2019-10732

Exploit
  • EPSS 0.19%
  • Veröffentlicht 07.04.2019 15:29:00
  • Zuletzt bearbeitet 21.11.2024 04:19:49

In KDE KMail 5.2.3, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipa...

5.9

CVE-2017-17689

Exploit
  • EPSS 0.87%
  • Veröffentlicht 16.05.2018 19:29:00
  • Zuletzt bearbeitet 21.11.2024 03:18:27

The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL.

5.9

CVE-2014-8878

  • EPSS 0.3%
  • Veröffentlicht 28.09.2017 01:29:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

KDE KMail does not encrypt attachments in emails when "automatic encryption" is enabled, which allows remote attackers to obtain sensitive information by sniffing the network.

7.5

CVE-2017-9604

  • EPSS 0.26%
  • Veröffentlicht 13.06.2017 13:29:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE Applications before 17.04.2, do not ensure that a plugin's sign/encrypt action occurs during use of the Send Later feature, which allows remote attackers to obtain sensitive in...

7.5

CVE-2016-7966

  • EPSS 0.19%
  • Veröffentlicht 23.12.2016 22:59:00
  • Zuletzt bearbeitet 12.04.2025 10:46:40

Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which gre...

8.1

CVE-2016-7967

  • EPSS 0.33%
  • Veröffentlicht 23.12.2016 22:59:00
  • Zuletzt bearbeitet 12.04.2025 10:46:40

KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled.