In KDE KMail 19.12.3 (aka 5.13.3), the SMTP STARTTLS option is not honored (and cleartext messages are sent) unless "Server requires authentication" is checked.
Max CVSS
5.3
EPSS Score
0.08%
Published
2021-08-10
Updated
2021-08-20
In KDE Trojita 0.7, man-in-the-middle attackers can create new folders because untagged responses from an IMAP server are accepted before STARTTLS.
Max CVSS
4.3
EPSS Score
0.07%
Published
2021-08-10
Updated
2021-08-20
KDE KImageFormats 5.70.0 through 5.81.0 has a stack-based buffer overflow in XCFImageFormat::loadTileRLE.
Max CVSS
5.5
EPSS Score
0.16%
Published
2021-07-01
Updated
2021-07-08
KDE Messagelib through 5.17.0 reveals cleartext of encrypted messages in some situations. Deleting an attachment of a decrypted encrypted message stored on a remote server (e.g., an IMAP server) causes KMail to upload the decrypted content of the message to the remote server. With a crafted message, a user could be tricked into decrypting an encrypted message and then deleting an attachment attached to this message. If the attacker has access to the messages stored on the email server, then the attacker could read the decrypted content of the encrypted message. This occurs in ViewerPrivate::deleteAttachment in messageviewer/src/viewer/viewer_p.cpp.
Max CVSS
6.5
EPSS Score
0.07%
Published
2021-06-02
Updated
2023-11-08
In kdeconnect-kde (aka KDE Connect) before 20.08.2, an attacker on the local network could send crafted packets that trigger use of large amounts of CPU, memory, or network connection slots, aka a Denial of Service attack.
Max CVSS
5.5
EPSS Score
0.05%
Published
2020-10-07
Updated
2023-01-31
In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user's home directory.
Max CVSS
4.3
EPSS Score
0.25%
Published
2020-09-02
Updated
2022-09-12
In kerfuffle/jobs.cpp in KDE Ark before 20.08.0, a crafted archive can install files outside the extraction directory via ../ directory traversal.
Max CVSS
4.3
EPSS Score
0.13%
Published
2020-08-03
Updated
2022-09-12
KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 communication during times when the UI indicates that encryption is in use.
Max CVSS
6.5
EPSS Score
0.13%
Published
2020-07-27
Updated
2020-07-30
A remote user can create a specially crafted M3U file, media playlist file that when loaded by the target user, will trigger a memory leak, whereby Amarok 2.8.0 continue to waste resources over time, eventually allows attackers to cause a denial of service.
Max CVSS
5.5
EPSS Score
0.12%
Published
2020-05-20
Updated
2022-04-28
An issue was discovered in KDE KMail before 19.12.3. By using the proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or other source of mailto links) can make KMail attach local files to a composed email message without showing a warning to the user, as demonstrated by an attach=.bash_history value.
Max CVSS
6.5
EPSS Score
0.09%
Published
2020-04-17
Updated
2020-04-29
KDE Okular before 1.10.0 allows code execution via an action link in a PDF document.
Max CVSS
6.8
EPSS Score
0.29%
Published
2020-03-24
Updated
2022-04-12
In KDE KMail 5.2.3, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker.
Max CVSS
4.3
EPSS Score
0.09%
Published
2019-04-07
Updated
2022-04-05
okular version 18.08 and earlier contains a Directory Traversal vulnerability in function "unpackDocumentArchive(...)" in "core/document.cpp" that can result in Arbitrary file creation on the user workstation. This attack appear to be exploitable via he victim must open a specially crafted Okular archive. This issue appears to have been corrected in version 18.08.1
Max CVSS
5.5
EPSS Score
0.11%
Published
2018-09-06
Updated
2019-03-20
messagepartthemes/default/defaultrenderer.cpp in messagelib in KDE Applications before 18.12.0 does not properly restrict the handling of an http-equiv="REFRESH" value.
Max CVSS
5.3
EPSS Score
0.08%
Published
2020-03-12
Updated
2020-03-18
An issue was discovered in KDE Plasma Workspace before 5.12.0. dataengines/notifications/notificationsengine.cpp allows remote attackers to discover client IP addresses via a URL in a notification, as demonstrated by the src attribute of an IMG element.
Max CVSS
5.3
EPSS Score
0.53%
Published
2018-02-07
Updated
2019-08-06
The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL.
Max CVSS
5.9
EPSS Score
0.55%
Published
2018-05-16
Updated
2019-10-03
kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 calls the PAC FindProxyForURL function with a full https URL (potentially including Basic Authentication credentials, a query string, or PATH_INFO), which allows remote attackers to obtain sensitive information via a crafted PAC file.
Max CVSS
5.5
EPSS Score
0.32%
Published
2017-03-02
Updated
2019-10-03
A maliciously crafted command line for kdesu can result in the user only seeing part of the commands that will actually get executed as super user.
Max CVSS
4.9
EPSS Score
0.15%
Published
2016-12-23
Updated
2018-10-30
Turning all screens off in Plasma-workspace and kscreenlocker while the lock screen is shown can result in the screen being unlocked when turning a screen on again.
Max CVSS
6.8
EPSS Score
0.18%
Published
2016-12-23
Updated
2018-10-30
kde-workspace 4.2.0 and plasma-workspace before 5.1.95 allows remote attackers to obtain input events, and consequently obtain passwords, by leveraging access to the X server when the screen is locked.
Max CVSS
4.3
EPSS Score
0.32%
Published
2015-01-26
Updated
2015-01-26
plasma-workspace before 5.1.95 allows remote attackers to obtain passwords via a Trojan horse Look and Feel package.
Max CVSS
4.3
EPSS Score
0.28%
Published
2015-01-26
Updated
2015-01-26
KDE KMail does not encrypt attachments in emails when "automatic encryption" is enabled, which allows remote attackers to obtain sensitive information by sniffing the network.
Max CVSS
5.9
EPSS Score
0.23%
Published
2017-09-28
Updated
2017-10-06
Multiple cross-site scripting (XSS) vulnerabilities in KDE-Runtime 4.14.3 and earlier, kwebkitpart 1.3.4 and earlier, and kio-extras 5.1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via a crafted URI using the (1) zip, (2) trash, (3) tar, (4) thumbnail, (5) smtps, (6) smtp, (7) smb, (8) remote, (9) recentdocuments, (10) nntps, (11) nntp, (12) network, (13) mbox, (14) ldaps, (15) ldap, (16) fonts, (17) file, (18) desktop, (19) cgi, (20) bookmarks, or (21) ar scheme, which is not properly handled in an error message.
Max CVSS
4.3
EPSS Score
0.32%
Published
2014-12-08
Updated
2018-10-30
KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions."
Max CVSS
6.9
EPSS Score
0.04%
Published
2014-08-19
Updated
2014-10-16
kio/usernotificationhandler.cpp in the POP3 kioslave in kdelibs 4.10.95 before 4.13.3 does not properly generate warning notifications, which allows man-in-the-middle attackers to obtain sensitive information via an invalid certificate.
Max CVSS
4.3
EPSS Score
0.11%
Published
2014-07-01
Updated
2018-10-30
94 vulnerabilities found
1 2 3 4
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!