CVSS: 8.4EPSS: 0%CPEs: 3EXPL: 0CVE-2016-3100
https://notcve.org/view.php?id=CVE-2016-3100
kinit in KDE Frameworks before 5.23.0 uses weak permissions (644) for /tmp/xauth-xxx-_y, which allows local users to obtain X11 cookies of other users and consequently capture keystrokes and possibly gain privileges by reading the file. kinit en KDE Frameworks en versiones anteriores a 5.23.0 utiliza permisos débiles (644) para /tmp/xauth-xxx-_y, lo que permite a usuarios locales obtener cookies X11 de otros usuarios y consecuentemente capturar pulsaciones del teclado y posiblemente obtener privilegios leyendo el archivo. • http://lists.opensuse.org/opensuse-updates/2016-07/msg00001.html http://www.kde.com/announcements/kde-frameworks-5.23.0.php http://www.securityfocus.com/bid/91769 https://bugs.kde.org/show_bug.cgi?id=358593 https://bugs.kde.org/show_bug.cgi?id=363140 https://quickgit.kde.org/?p=kinit.git&a=commitdiff&h=72f3702dbe6cf15c06dc13da2c99c864e9022a58 https://quickgit.kde.org/?p=kinit.git&a=commitdiff&h=dece8fd89979cd1a86c03bcaceef6e9221e8d8cd https://www.kde.org/info/security/advisory-20160621-1.t • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2015-1308
https://notcve.org/view.php?id=CVE-2015-1308
kde-workspace 4.2.0 and plasma-workspace before 5.1.95 allows remote attackers to obtain input events, and consequently obtain passwords, by leveraging access to the X server when the screen is locked. kde-workspace 4.2.0 y plasma-workspace anterior a 5.1.95 permiten a atacantes remotos obtener eventos de entradas, y como consecuencia obtener contraseñas, mediante el aprovechamiento del acceso al servidor X cuando la pantalla está bloqueada. • http://secunia.com/advisories/62051 http://www.openwall.com/lists/oss-security/2015/01/22/6 http://www.securityfocus.com/bid/72284 https://www.kde.org/info/security/advisory-20150122-2.txt • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2013-7252
https://notcve.org/view.php?id=CVE-2013-7252
kwalletd in KWallet before KDE Applications 14.12.0 uses Blowfish with ECB mode instead of CBC mode when encrypting the password store, which makes it easier for attackers to guess passwords via a codebook attack. kwalletd en KWallet anterior a las aplicaciones KDE 14.12.0 utiliza Blowfish con el modo ECB en lugar del modo CBC cuando codifica el almacén de contraseñas, lo que facilita a atacantes adivinar las contraseñas a través de un ataque de libro de códigos (codebook). • http://gaganpreet.in/blog/2013/07/24/kwallet-security-analysis http://www.openwall.com/lists/oss-security/2014/01/02/3 http://www.openwall.com/lists/oss-security/2015/01/09/7 http://www.securityfocus.com/bid/67716 https://bugzilla.redhat.com/show_bug.cgi?id=1048168 https://security.gentoo.org/glsa/201606-19 https://www.kde.org/info/security/advisory-20150109-1.txt • CWE-310: Cryptographic Issues •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 2CVE-2014-8600 – IO Slaves KDE Insufficient Input Validation
https://notcve.org/view.php?id=CVE-2014-8600
Multiple cross-site scripting (XSS) vulnerabilities in KDE-Runtime 4.14.3 and earlier, kwebkitpart 1.3.4 and earlier, and kio-extras 5.1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via a crafted URI using the (1) zip, (2) trash, (3) tar, (4) thumbnail, (5) smtps, (6) smtp, (7) smb, (8) remote, (9) recentdocuments, (10) nntps, (11) nntp, (12) network, (13) mbox, (14) ldaps, (15) ldap, (16) fonts, (17) file, (18) desktop, (19) cgi, (20) bookmarks, or (21) ar scheme, which is not properly handled in an error message. Múltiples vulnerabilidades de XSS en KDE-Runtime 4.14.3 y anteriores, kwebkitpart 1.3.4 y anteriores, y kio-extras 5.1.1 y anteriores permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una URI maniplada que utiliza la esquema (1) zip, (2) trash, (3) tar, (4) thumbnail, (5) smtps, (6) smtp, (7) smb, (8) remote, (9) recentdocuments, (10) nntps, (11) nntp, (12) network, (13) mbox, (14) ldaps, (15) ldap, (16) fonts, (17) file, (18) desktop, (19) cgi, (20) bookmarks, or (21) ar, lo que no se maneja correctamente en un mensaje de error. It was discovered that a number of the protocol handlers (referred to as IO slaves) did not satisfactorily handle malicious input. It is possible for an attacker to inject JavaScript by manipulating IO slave URI such that the JavaScript from the manipulated request is returned in the response. • http://lists.opensuse.org/opensuse-updates/2015-03/msg00068.html http://seclists.org/fulldisclosure/2014/Nov/54 http://ubuntu.com/usn/usn-2414-1 http://www.securityfocus.com/bid/71190 https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-8600 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2014-8651
https://notcve.org/view.php?id=CVE-2014-8651
The KDE Clock KCM policykit helper in kde-workspace before 4.11.14 and plasma-desktop before 5.1.1 allows local users to gain privileges via a crafted ntpUtility (ntp utility name) argument. KDE Clock KCM Policykit Helper en kde-workspace anterior a 4.11.14 y plasma-desktop anterior a 5.1.1 permite a usuarios locales ganar privilegios a través de un argumento ntpUtility (ntp utility name) manipulado. • http://lists.fedoraproject.org/pipermail/package-announce/2014-November/143781.html http://lists.fedoraproject.org/pipermail/package-announce/2014-November/144034.html http://lists.fedoraproject.org/pipermail/package-announce/2014-November/144093.html http://www.openwall.com/lists/oss-security/2014/11/04/9 http://www.openwall.com/lists/oss-security/2014/11/07/3 http://www.securityfocus.com/bid/70904 http://www.ubuntu.com/usn/USN-2402-1 https://security.gentoo.org/glsa/201512-12 htt • CWE-264: Permissions, Privileges, and Access Controls •