CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-57966
https://notcve.org/view.php?id=CVE-2024-57966
03 Feb 2025 — libarchiveplugin.cpp in KDE ark before 24.12.0 can extract to an absolute path from an archive. • https://github.com/KDE/ark/commit/fe518d81b338941e0bf1c5ce5e75a9ab6de4bb58 • CWE-36: Absolute Path Traversal •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-36041 – Debian Security Advisory 5723-1
https://notcve.org/view.php?id=CVE-2024-36041
27 Jun 2024 — KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5.27.11.1 and 6.x before 6.0.5.1 allows connections via ICE based purely on the host, i.e., all local connections are accepted. This allows another user on the same machine to gain access to the session manager, e.g., use the session-restore feature to execute arbitrary code as the victim (on the next boot) via earlier use of the /tmp directory. KSmserver en KDE Plasma Workspace (también conocido como plasma-workspace) anterior a 5.27.11.1 y 6.... • https://github.com/KDE/plasma-workspace/tags • CWE-613: Insufficient Session Expiration •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-52723
https://notcve.org/view.php?id=CVE-2023-52723
29 Apr 2024 — In KDE libksieve before 23.03.80, kmanagesieve/session.cpp places a cleartext password in server logs because a username variable is accidentally given a password value. En KDE libksieve anterior al 23.03.80, kmanagesieve/session.cpp coloca una contraseña de texto plano en los registros del servidor porque a una variable de nombre de usuario se le asigna accidentalmente un valor de contraseña. • http://www.openwall.com/lists/oss-security/2024/04/30/1 • CWE-798: Use of Hard-coded Credentials •
CVSS: 3.7EPSS: 0%CPEs: 94EXPL: 0CVE-2024-1433 – KDE Plasma Workspace Theme File eventpluginsmanager.cpp enabledPlugins path traversal
https://notcve.org/view.php?id=CVE-2024-1433
11 Feb 2024 — A vulnerability, which was classified as problematic, was found in KDE Plasma Workspace up to 5.93.0. This affects the function EventPluginsManager::enabledPlugins of the file components/calendar/eventpluginsmanager.cpp of the component Theme File Handler. The manipulation of the argument pluginId leads to path traversal. It is possible to initiate the attack remotely. The complexity of an attack is rather high. • https://github.com/KDE/plasma-workspace/commit/6cdf42916369ebf4ad5bd876c4dfa0170d7b2f01 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24986
https://notcve.org/view.php?id=CVE-2022-24986
26 Feb 2022 — KDE KCron through 21.12.2 uses a temporary file in /tmp when saving, but reuses the filename during an editing session. Thus, someone watching it be created the first time could potentially intercept the file the following time, enabling that person to run unauthorized commands. KDE KCron versiones hasta 21.12.2, usa un archivo temporal en /tmp cuando se guarda, pero reutiliza el nombre del archivo durante una sesión de edición. Por lo tanto, alguien que vea cómo se crea la primera vez podría potencialmente... • http://www.openwall.com/lists/oss-security/2022/02/25/3 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23853 – Gentoo Linux Security Advisory 202401-21
https://notcve.org/view.php?id=CVE-2022-23853
11 Feb 2022 — The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2 and KTextEditor before 5.91.0 tries to execute the associated LSP server binary when opening a file of a given type. If this binary is absent from the PATH, it will try running the LSP server binary in the directory of the file that was just opened (due to a misunderstanding of the QProcess API, that was never intended). This can be an untrusted directory. El plugin LSP (Language Server Protocol) en KDE Kate versiones anteriores a 21.12.2 ... • https://apps.kde.org/kate • CWE-427: Uncontrolled Search Path Element •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38373
https://notcve.org/view.php?id=CVE-2021-38373
10 Aug 2021 — In KDE KMail 19.12.3 (aka 5.13.3), the SMTP STARTTLS option is not honored (and cleartext messages are sent) unless "Server requires authentication" is checked. En KDE KMail versión 19.12.3 (también se conoce como 5.13.3), la opción SMTP STARTTLS no es respetada (y se envían mensajes en texto sin cifrar) a menos que se marque "Server requires authentication" • https://bugs.kde.org/show_bug.cgi?id=423423 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-38372
https://notcve.org/view.php?id=CVE-2021-38372
10 Aug 2021 — In KDE Trojita 0.7, man-in-the-middle attackers can create new folders because untagged responses from an IMAP server are accepted before STARTTLS. En KDE Trojita versión 0.7, unos atacantes de tipo man-in-the-middle pueden crear nuevas carpetas porque las respuestas no etiquetadas de un servidor IMAP son aceptadas antes de STARTTLS • https://bugs.kde.org/show_bug.cgi?id=432353 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-36083
https://notcve.org/view.php?id=CVE-2021-36083
01 Jul 2021 — KDE KImageFormats 5.70.0 through 5.81.0 has a stack-based buffer overflow in XCFImageFormat::loadTileRLE. KDE KImageFormats versiones 5.70.0 hasta 5.81.0, presenta un desbordamiento de búfer en la región stack de la memoria en la función XCFImageFormat::loadTileRLE • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33742 • CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-31855
https://notcve.org/view.php?id=CVE-2021-31855
02 Jun 2021 — KDE Messagelib through 5.17.0 reveals cleartext of encrypted messages in some situations. Deleting an attachment of a decrypted encrypted message stored on a remote server (e.g., an IMAP server) causes KMail to upload the decrypted content of the message to the remote server. With a crafted message, a user could be tricked into decrypting an encrypted message and then deleting an attachment attached to this message. If the attacker has access to the messages stored on the email server, then the attacker cou... • https://github.com/KDE/messagelib/commit/3b5b171e91ce78b966c98b1292a1bcbc8d984799 • CWE-312: Cleartext Storage of Sensitive Information •