CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2021-39361
https://notcve.org/view.php?id=CVE-2021-39361
22 Aug 2021 — In GNOME evolution-rss through 0.3.96, network-soup.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011. En GNOME evolution-rss versiones hasta 0.3.96, el archivo network-soup.c, no habilita la verificación del certificado TLS en los objetos SoupSessionSync que crea, dejando a los usuarios vulnerables a ataques MITM de la red. NOTA: Esto es similar a CVE-2016-20011. • https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification • CWE-295: Improper Certificate Validation •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2009-3721
https://notcve.org/view.php?id=CVE-2009-3721
26 May 2021 — Multiple directory traversal and buffer overflow vulnerabilities were discovered in yTNEF, and in Evolution's TNEF parser that is derived from yTNEF. A crafted email could cause these applications to write data in arbitrary locations on the filesystem, crash, or potentially execute arbitrary code when decoding attachments. Se detectaron múltiples vulnerabilidades de salto de directorio y desbordamiento de búfer en yTNEF, y en el analizador TNEF de Evolution que deriva de yTNEF. Un correo electrónico di... • http://www.ocert.org/advisories/ocert-2009-013.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-3349
https://notcve.org/view.php?id=CVE-2021-3349
01 Feb 2021 — GNOME Evolution through 3.38.3 produces a "Valid signature" message for an unknown identifier on a previously trusted key because Evolution does not retrieve enough information from the GnuPG API. NOTE: third parties dispute the significance of this issue, and dispute whether Evolution is the best place to change this behavior ** EN DISPUTA ** GNOME Evolution versiones hasta 3.38.3, produce un mensaje "Valid signature" para un identificador desconocido en una clave previamente confiable porque Evolution no ... • https://dev.gnupg.org/T4735 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 1CVE-2020-16117 – evolution-data-server: NULL pointer dereference related to imapx_free_capability and imapx_connect_to_server
https://notcve.org/view.php?id=CVE-2020-16117
29 Jul 2020 — In GNOME evolution-data-server before 3.35.91, a malicious server can crash the mail client with a NULL pointer dereference by sending an invalid (e.g., minimal) CAPABILITY line on a connection attempt. This is related to imapx_free_capability and imapx_connect_to_server. En GNOME evolution-data-server versiones anteriores a 3.35.91, un servidor malicioso puede bloquear el cliente de correo con una desreferencia del puntero NULL mediante el envío de una línea CAPABILITY no válida (por ejemplo, mínima) en un... • https://gitlab.gnome.org/GNOME/evolution-data-server/-/commit/2cc39592b532cf0dc994fd3694b8e6bf924c9ab5 • CWE-476: NULL Pointer Dereference •
CVSS: 5.9EPSS: 4%CPEs: 7EXPL: 1CVE-2020-14928 – evolution-data-server: Response injection via STARTTLS in SMTP and POP3
https://notcve.org/view.php?id=CVE-2020-14928
17 Jul 2020 — evolution-data-server (eds) through 3.36.3 has a STARTTLS buffering issue that affects SMTP and POP3. When a server sends a "begin TLS" response, eds reads additional data and evaluates it in a TLS context, aka "response injection." evolution-data-server (eds) versiones hasta 3.36.3, presenta un problema de almacenamiento en búfer STARTTLS que afecta a SMTP y POP3. Cuando un servidor envía una respuesta "begin TLS", eds lee datos adicionales y los evalúa en un contexto TLS, también se conoce como "response ... • https://bugzilla.suse.com/show_bug.cgi?id=1173910 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-11879
https://notcve.org/view.php?id=CVE-2020-11879
17 Apr 2020 — An issue was discovered in GNOME Evolution before 3.35.91. By using the proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or other source of mailto links) can make Evolution attach local files or directories to a composed email message without showing a warning to the user, as demonstrated by an attach=. value. Se descubrió un problema en GNOME Evolution anterior a la versión 3.35.91. Al utilizar el parámetro "mailto Attach = ..." patentado (no RFC6068), un sitio web (u otra fuente de enla... • https://gitlab.gnome.org/GNOME/evolution/-/blob/master/NEWS •
CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 1CVE-2011-3355
https://notcve.org/view.php?id=CVE-2011-3355
25 Nov 2019 — evolution-data-server3 3.0.3 through 3.2.1 used insecure (non-SSL) connection when attempting to store sent email messages into the Sent folder, when the Sent folder was located on the remote server. An attacker could use this flaw to obtain login credentials of the victim. evolution-data-server versión 3 3.0.3 hasta 3.2.1, utilizó una conexión no segura (no SSL) cuando se intenta almacenar mensajes de correo electrónico enviados a la carpeta Sent, cuando la carpeta Sent fue encontrada en el servidor remoto... • https://access.redhat.com/security/cve/cve-2011-3355 • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-3890 – evolution-ews: all certificate errors ignored if error is ignored during initial account setup in gnome-online-accounts
https://notcve.org/view.php?id=CVE-2019-3890
01 Aug 2019 — It was discovered evolution-ews before 3.31.3 does not check the validity of SSL certificates. An attacker could abuse this flaw to get confidential information by tricking the user into connecting to a fake server without the user noticing the difference. Se detectó que evolution-ews anterior a versión 3.31.3, no comprueba la validez de los certificados SSL. Un atacante podría abusar de este fallo para conseguir información confidencial mediante el engaño del usuario para que se conecte a un servidor falso... • https://access.redhat.com/errata/RHSA-2019:3699 • CWE-295: Improper Certificate Validation CWE-296: Improper Following of a Certificate's Chain of Trust •
CVSS: 6.5EPSS: 2%CPEs: 2EXPL: 2CVE-2018-15587 – evolution: specially crafted email leading to OpenPGP signatures being spoofed for arbitrary messages
https://notcve.org/view.php?id=CVE-2018-15587
11 Feb 2019 — GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofed for arbitrary messages using a specially crafted email that contains a valid signature from the entity to be impersonated as an attachment. GNOME Evolution, hasta la versión 3.28.2, es propenso a que las firmas OpenPGP sean suplantadas para mensajes arbitrarios empleando un correo electrónico especialmente manipulado que contiene una firma válida de la entidad que será suplantada como adjunto. Evolution is a GNOME application that p... • https://packetstorm.news/files/id/152703 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 9.8EPSS: 1%CPEs: 3EXPL: 1CVE-2016-10727 – Ubuntu Security Notice USN-3724-1
https://notcve.org/view.php?id=CVE-2016-10727
20 Jul 2018 — camel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolution-data-server before 3.21.2 proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. The server code was intended to report an error and not proceed, but the code was written incorrectly. camel/providers/imapx/camel-imapx-server.c en el componente IMAPx en GNO... • https://bugzilla.redhat.com/show_bug.cgi?id=1334842 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •