CVE-2016-7967
https://notcve.org/view.php?id=CVE-2016-7967
KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled. KMail desde la versión 5.3.0 como se utiliza en un visor basado en QWebEngine que tenía habilitado JavaScript. Dado que el html generado es ejecutado en el contexto de seguridad de archivos local mediante el acceso predeterminado a URLs remotas y locales estaba habilitado. • http://www.openwall.com/lists/oss-security/2016/10/05/1 http://www.securityfocus.com/bid/93360 https://www.kde.org/info/security/advisory-20161006-2.txt • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-284: Improper Access Control •
CVE-2016-7966
https://notcve.org/view.php?id=CVE-2016-7966
Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content. A través de una URL maliciosa que contenía un caracter de comillas era posible inyectar código HTML en el visor de texto plano de KMail. Debido al analizador utilizado en la URL no fue posible incluir el signo igual (=) o un espacio dentro del HTML inyectado, lo que reduce enormemente la funcionalidad HTML disponible. • http://lists.opensuse.org/opensuse-updates/2016-10/msg00065.html http://www.debian.org/security/2016/dsa-3697 http://www.openwall.com/lists/oss-security/2016/10/05/1 http://www.securityfocus.com/bid/93360 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNMM5TVPTJQFPJ3YDF4DPXDFW3GQLWLY • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2006-7062
https://notcve.org/view.php?id=CVE-2006-7062
calendar.php in Kamgaing Email System (kmail) 2.3 and earlier allows remote attackers to obtain the full path of the server via an invalid d parameter, which leaks the path in an error message. calendar.php en Kamgaing Email System (kmail) 2.3 y anteriores permiten a atacantes remotos obtener la ruta completa del servidor a través de un parámetro d inválido, lo cual filtra la ruta en un mensaje de error. • http://pridels0.blogspot.com/2006/04/kmail-23-vuln.html http://www.osvdb.org/25065 https://exchange.xforce.ibmcloud.com/vulnerabilities/26120 •
CVE-2006-2104
https://notcve.org/view.php?id=CVE-2006-2104
Multiple cross-site scripting (XSS) vulnerabilities in Kamgaing Email System (kmail) 2.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) d parameter to main.php, ordner parameter to (2) main.php, or (3) webdisk.php, (4) draft parameter to compose.php, or (5) m, or (6) y parameter to calendar.php. • http://pridels0.blogspot.com/2006/04/kmail-23-vuln.html http://secunia.com/advisories/19755 http://www.osvdb.org/25061 http://www.osvdb.org/25062 http://www.osvdb.org/25063 http://www.osvdb.org/25064 http://www.vupen.com/english/advisories/2006/1564 https://exchange.xforce.ibmcloud.com/vulnerabilities/26117 •
CVE-2005-0404 – KDE KMail 1.7.1 - HTML EMail Remote Email Content Spoofing
https://notcve.org/view.php?id=CVE-2005-0404
KMail 1.7.1 in KDE 3.3.2 allows remote attackers to spoof email information, such as whether the email has been digitally signed or encrypted, via HTML formatted email. • https://www.exploit-db.com/exploits/25375 http://bugs.kde.org/show_bug.cgi?id=96020 http://mail.kde.org/pipermail/kmail-devel/2005-February/015490.html http://secunia.com/advisories/14925 http://www.securiteam.com/unixfocus/5GP0B0AFFE.html •