CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2018-6791
https://notcve.org/view.php?id=CVE-2018-6791
An issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE Plasma Workspace before 5.12.0. When a vfat thumbdrive that contains `` or $() in its volume label is plugged in and mounted through the device notifier, it's interpreted as a shell command, leading to a possibility of arbitrary command execution. An example of an offending volume label is "$(touch b)" -- this will create a file called b in the home folder. Se ha descubierto un problema en soliduiserver/deviceserviceaction.cpp en KDE Plasma Workspace en versiones anteriores a la 5.12.0. Cuando una memoria USB vfat que contiene `` o $() en la etiqueta de la partición se enchufa o monta a través del notificador del dispositivo, se interpreta como un comando shell, lo que permite que se ejecuten comandos arbitrarios. • https://bugs.kde.org/show_bug.cgi?id=389815 https://cgit.kde.org/plasma-workspace.git/commit/?id=9db872df82c258315c6ebad800af59e81ffb9212 https://www.debian.org/security/2018/dsa-4116 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2014-8878
https://notcve.org/view.php?id=CVE-2014-8878
KDE KMail does not encrypt attachments in emails when "automatic encryption" is enabled, which allows remote attackers to obtain sensitive information by sniffing the network. KDE KMail no cifra los archivos adjuntos en los emails cuando "automatic encryption" está habilitado, lo que permite que los atacantes remotos obtengan información sensible rastreando la red. • http://www.openwall.com/lists/oss-security/2015/07/16/10 http://www.securityfocus.com/bid/75986 https://bugs.kde.org/show_bug.cgi?id=340312 https://bugzilla.redhat.com/show_bug.cgi?id=1243777 • CWE-310: Cryptographic Issues •
CVSS: 7.0EPSS: 0%CPEs: 2EXPL: 1CVE-2015-7543
https://notcve.org/view.php?id=CVE-2015-7543
aRts 1.5.10 and kdelibs3 3.5.10 and earlier do not properly create temporary directories, which allows local users to hijack the IPC by pre-creating the temporary directory. aRts versión 1.5.10 y kdelibs3 versión 3.5.10 y anteriores, no crean apropiadamente los directorios temporales, lo que permite a los usuarios locales secuestrar la IPC mediante la creación previa del directorio temporal. • https://bugzilla.redhat.com/show_bug.cgi?id=1280543 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2017-9604
https://notcve.org/view.php?id=CVE-2017-9604
KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE Applications before 17.04.2, do not ensure that a plugin's sign/encrypt action occurs during use of the Send Later feature, which allows remote attackers to obtain sensitive information by sniffing the network. KDE kmail anterior a la 5.5.2 y messagelib anterior a la 5.5.2, como distribuciones en aplicaciones KDE anteriores a la 17.04.2, no asegura que la acción de firma del plugin ocurre durante el uso de la característica Send Later, lo que permite a un atacante remoto obtener información sensible mediante la observación de la red. • https://commits.kde.org/kmail/78c5552be2f00a4ac25bd77ca39386522fca70a8 https://commits.kde.org/messagelib/c54706e990bbd6498e7b1597ec7900bc809e8197 • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2017-8422 – KDE 4/5 - 'KAuth' Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2017-8422
KDE kdelibs before 4.14.32 and KAuth before 5.34 allow local users to gain root privileges by spoofing a callerID and leveraging a privileged helper app. KDelibs de KDE antes de 4.14.32 y KAuth antes de 5.34 permiten que los usuarios locales obtengan privilegios de root por spoofing de un callerID y aprovechando una aplicación de ayuda privilegiada. A privilege escalation flaw was found in the way kdelibs handled D-Bus messages. A local user could potentially use this flaw to gain root privileges by spoofing a callerID and leveraging a privileged helper application. KDE versions 4 and 5 suffer from a KAuth privilege escalation vulnerability. • https://www.exploit-db.com/exploits/42053 http://www.debian.org/security/2017/dsa-3849 http://www.openwall.com/lists/oss-security/2017/05/10/3 http://www.securityfocus.com/bid/98412 http://www.securitytracker.com/id/1038480 https://access.redhat.com/errata/RHSA-2017:1264 https://bugzilla.redhat.com/show_bug.cgi?id=1449647 https://cgit.kde.org/kauth.git/commit/?id=df875f725293af53399f5146362eb158b4f9216a https://cgit.kde.org/kdelibs.git/commit/?id=264e97625abe2e0334f97de17f6ffb52582888a • CWE-290: Authentication Bypass by Spoofing •