CVE-2021-38373
https://notcve.org/view.php?id=CVE-2021-38373
In KDE KMail 19.12.3 (aka 5.13.3), the SMTP STARTTLS option is not honored (and cleartext messages are sent) unless "Server requires authentication" is checked. En KDE KMail versión 19.12.3 (también se conoce como 5.13.3), la opción SMTP STARTTLS no es respetada (y se envían mensajes en texto sin cifrar) a menos que se marque "Server requires authentication" • https://bugs.kde.org/show_bug.cgi?id=423423 https://nostarttls.secvuln.info • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-319: Cleartext Transmission of Sensitive Information •
CVE-2020-15954
https://notcve.org/view.php?id=CVE-2020-15954
KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 communication during times when the UI indicates that encryption is in use. KDE KMail versión 19.12.3 (también se conoce como 5.13.3) se involucra en la comunicación POP3 sin cifrar durante los momentos cuando la IU indica que el cifrado está en uso • https://bugs.kde.org/show_bug.cgi?id=423426 https://lists.debian.org/debian-lts-announce/2020/07/msg00030.html • CWE-319: Cleartext Transmission of Sensitive Information •
CVE-2020-11880
https://notcve.org/view.php?id=CVE-2020-11880
An issue was discovered in KDE KMail before 19.12.3. By using the proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or other source of mailto links) can make KMail attach local files to a composed email message without showing a warning to the user, as demonstrated by an attach=.bash_history value. Se detectó un problema en KDE KMail versiones anteriores a 19.12.3. Al usar el parámetro "mailto? • https://cgit.kde.org/kmail.git/commit/?id=2a348eccd352260f192d9b449492071bbf2b34b1 https://cgit.kde.org/kmail.git/tag/?h=v19.12.3 •
CVE-2019-10732
https://notcve.org/view.php?id=CVE-2019-10732
In KDE KMail 5.2.3, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker. En KDE KMail 5.2.3, un atacante que posea correos electrónicos cifrados en S/MIME o PGP puede envolverlos como subpartes de un correo electrónico multiparte manipulado. • https://bugs.kde.org/show_bug.cgi?id=404698 https://lists.debian.org/debian-lts-announce/2019/06/msg00012.html • CWE-319: Cleartext Transmission of Sensitive Information •
CVE-2017-17689
https://notcve.org/view.php?id=CVE-2017-17689
The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. La especificación S/MIME permite un ataque malleability-gadget Cipher Block Chaining (CBC) que puede conducir indirectamente a la exfiltración en texto plano. Esto también se conoce como EFAIL. • http://www.securityfocus.com/bid/104165 https://efail.de https://news.ycombinator.com/item?id=17066419 https://pastebin.com/gNCc8aYm https://twitter.com/matthew_d_green/status/996371541591019520 https://www.synology.com/support/security/Synology_SA_18_22 •