CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2013-4133
https://notcve.org/view.php?id=CVE-2013-4133
kde-workspace before 4.10.5 has a memory leak in plasma desktop kde-workspace versiones anteriores a la versión 4.10.5, tiene una pérdida de memoria en el escritorio plasma • http://lists.opensuse.org/opensuse-updates/2013-08/msg00002.html http://www.openwall.com/lists/oss-security/2013/07/16/4 http://www.securityfocus.com/bid/61201 https://access.redhat.com/security/cve/cve-2013-4133 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4133 https://exchange.xforce.ibmcloud.com/vulnerabilities/85797 https://security-tracker.debian.org/tracker/CVE-2013-4133 • CWE-404: Improper Resource Shutdown or Release •
CVSS: 8.8EPSS: 0%CPEs: 12EXPL: 1CVE-2019-14744 – kdelibs: malicious desktop files and configuration files lead to code execution with minimal user interaction
https://notcve.org/view.php?id=CVE-2019-14744
In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file. En KDE Frameworks KConfig en versiones anteriores a 5.61.0, los archivos de escritorio y los archivos de configuración maliciosos conllevan a la ejecución de código con una interacción mínima del usuario. Esto se relaciona con el archivo libKF5ConfigCore.so y el manejo inapropiado de archivos .desktop y .directory, como es demostrado por un comando de shell en una línea Icon en un archivo .desktop. A flaw was found in the KDE Frameworks KConfig prior to version 5.61.0. • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00016.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00034.html http://packetstormsecurity.com/files/153981/Slackware-Security-Advisory-kdelibs-Updates.html https://access.redhat.com/errata/RHSA-2019:2606 https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt https://lists.deb • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-454: External Initialization of Trusted Variables or Data Stores •
CVSS: 9.3EPSS: 0%CPEs: 7EXPL: 0CVE-2019-7443
https://notcve.org/view.php?id=CVE-2019-7443
KDE KAuth before 5.55 allows the passing of parameters with arbitrary types to helpers running as root over DBus via DBusHelperProxy.cpp. Certain types can cause crashes, and trigger the decoding of arbitrary images with dynamically loaded plugins. In other words, KAuth unintentionally causes this plugin code to run as root, which increases the severity of any possible exploitation of a plugin vulnerability. KDE KAuth, versiones anteriores 5.55, permite el paso de parámetros con tipos arbitrarios a ayudantes que se ejecutan como root sobre DBus a través de DBusHelperProxy.cpp. Ciertos tipos pueden causar caídas y desencadenar la decodificación de imágenes arbitrarias con plugins cargados dinámicamente. • http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00060.html http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00065.html https://bugzilla.suse.com/show_bug.cgi?id=1124863 https://cgit.kde.org/kauth.git/commit/?id=fc70fb0161c1b9144d26389434d34dd135cd3f4a https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAWLQKTUQJOAPXOFWJQAQCA4LVM2P45F https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXVUJNXB6QKGPT6YJPJSG3U2BIR5XK5Y • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1CVE-2019-10732
https://notcve.org/view.php?id=CVE-2019-10732
In KDE KMail 5.2.3, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker. En KDE KMail 5.2.3, un atacante que posea correos electrónicos cifrados en S/MIME o PGP puede envolverlos como subpartes de un correo electrónico multiparte manipulado. • https://bugs.kde.org/show_bug.cgi?id=404698 https://lists.debian.org/debian-lts-announce/2019/06/msg00012.html • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-19120
https://notcve.org/view.php?id=CVE-2018-19120
The HTML thumbnailer plugin in KDE Applications before 18.12.0 allows attackers to trigger outbound TCP connections to arbitrary IP addresses, leading to disclosure of the source IP address. El plugin HTML thumbnailer en aplicaciones KDE en versiones anteriores a la 18.12.0 permite a los atacantes desencadenar conexiones TCP salientes a direcciones IP arbitrarias, lo que conduce a la divulgación de la dirección IP de origen. • https://bugzilla.redhat.com/show_bug.cgi?id=1649420 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CWRCGXLPJHM4OFD66BINH2FIMYHRCRKF • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •