CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38373
https://notcve.org/view.php?id=CVE-2021-38373
10 Aug 2021 — In KDE KMail 19.12.3 (aka 5.13.3), the SMTP STARTTLS option is not honored (and cleartext messages are sent) unless "Server requires authentication" is checked. En KDE KMail versión 19.12.3 (también se conoce como 5.13.3), la opción SMTP STARTTLS no es respetada (y se envían mensajes en texto sin cifrar) a menos que se marque "Server requires authentication" • https://bugs.kde.org/show_bug.cgi?id=423423 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-15954
https://notcve.org/view.php?id=CVE-2020-15954
27 Jul 2020 — KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 communication during times when the UI indicates that encryption is in use. KDE KMail versión 19.12.3 (también se conoce como 5.13.3) se involucra en la comunicación POP3 sin cifrar durante los momentos cuando la IU indica que el cifrado está en uso • https://bugs.kde.org/show_bug.cgi?id=423426 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-11880
https://notcve.org/view.php?id=CVE-2020-11880
17 Apr 2020 — An issue was discovered in KDE KMail before 19.12.3. By using the proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or other source of mailto links) can make KMail attach local files to a composed email message without showing a warning to the user, as demonstrated by an attach=.bash_history value. Se detectó un problema en KDE KMail versiones anteriores a 19.12.3. Al usar el parámetro "mailto? • https://cgit.kde.org/kmail.git/commit/?id=2a348eccd352260f192d9b449492071bbf2b34b1 •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1CVE-2019-10732
https://notcve.org/view.php?id=CVE-2019-10732
07 Apr 2019 — In KDE KMail 5.2.3, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker. En KDE KMail 5.2.3, un atacante que posea correos... • https://bugs.kde.org/show_bug.cgi?id=404698 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 5.9EPSS: 0%CPEs: 21EXPL: 1CVE-2017-17689 – Debian Security Advisory 4244-1
https://notcve.org/view.php?id=CVE-2017-17689
16 May 2018 — The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. La especificación S/MIME permite un ataque malleability-gadget Cipher Block Chaining (CBC) que puede conducir indirectamente a la exfiltración en texto plano. Esto también se conoce como EFAIL. Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service or attacks on encrypted emails. • http://www.securityfocus.com/bid/104165 •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2014-8878
https://notcve.org/view.php?id=CVE-2014-8878
27 Sep 2017 — KDE KMail does not encrypt attachments in emails when "automatic encryption" is enabled, which allows remote attackers to obtain sensitive information by sniffing the network. KDE KMail no cifra los archivos adjuntos en los emails cuando "automatic encryption" está habilitado, lo que permite que los atacantes remotos obtengan información sensible rastreando la red. • http://www.openwall.com/lists/oss-security/2015/07/16/10 • CWE-310: Cryptographic Issues •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2017-9604
https://notcve.org/view.php?id=CVE-2017-9604
13 Jun 2017 — KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE Applications before 17.04.2, do not ensure that a plugin's sign/encrypt action occurs during use of the Send Later feature, which allows remote attackers to obtain sensitive information by sniffing the network. KDE kmail anterior a la 5.5.2 y messagelib anterior a la 5.5.2, como distribuciones en aplicaciones KDE anteriores a la 17.04.2, no asegura que la acción de firma del plugin ocurre durante el uso de la característica Send Later... • https://commits.kde.org/kmail/78c5552be2f00a4ac25bd77ca39386522fca70a8 • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-7967
https://notcve.org/view.php?id=CVE-2016-7967
23 Dec 2016 — KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled. KMail desde la versión 5.3.0 como se utiliza en un visor basado en QWebEngine que tenía habilitado JavaScript. Dado que el html generado es ejecutado en el contexto de seguridad de archivos local mediante el acceso predeterminado a URLs remotas y locales estaba habilitado. • http://www.openwall.com/lists/oss-security/2016/10/05/1 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-7968
https://notcve.org/view.php?id=CVE-2016-7968
23 Dec 2016 — KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. HTML Mail contents were not sanitized for JavaScript and included code was executed. KMail desde la versión 5.3.0 tal como se utiliza en un visor basado en QWebEngine que tenía habilitado JavaScript. Los contenidos de HTML Mail no fueron desinfectados para JavaScript y el código incluido fue ejecutado. • http://www.openwall.com/lists/oss-security/2016/10/05/1 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2016-7966 – Ubuntu Security Notice USN-3100-1
https://notcve.org/view.php?id=CVE-2016-7966
12 Oct 2016 — Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content. A través de una URL maliciosa que contenía un caracter de comillas era posible inyectar código HTML en el visor de texto plano de KMail. ... • http://lists.opensuse.org/opensuse-updates/2016-10/msg00065.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •