CVE-2016-7967
Published: 23 December 2016
KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled.
Notes
Author | Note |
---|---|
mdeslaur | 5.3.0 and over |
sbeattie | kmail did not use QWebSettings through zesty |
Priority
Status
Package | Release | Status |
---|---|---|
kdepim Launchpad, Ubuntu, Debian |
precise |
Not vulnerable
(4:4.8.5-0ubuntu0.1)
|
trusty |
Not vulnerable
(4:4.13.3-0ubuntu0.1)
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
(code not present)
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Not vulnerable
(code not present)
|
|
kf5-messagelib Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
trusty |
Does not exist
|
|
upstream |
Released
(16.11.80)
|
|
xenial |
Does not exist
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Not vulnerable
(code not present)
|
|
Patches: upstream: https://cgit.kde.org/messagelib.git/commit/?id=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.1 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |