Remote Code Execution Vulnerability in KMail by KDE
CVE-2016-7967

8.1HIGH

Key Information:

Vendor: Kde
Status: Kmail
Vendor: CVE Published:; 23 December 2016

What is CVE-2016-7967?

KMail, an email client from KDE, introduced a vulnerability where the QWebEngine-based viewer allows enabled JavaScript. By generating HTML in a local file security context, this flaw inadvertently grants access to both remote and local URLs, potentially leading to unauthorized code execution. Users should take precautions, especially in versions 5.3.0 and above, to mitigate risks associated with this security oversight.

References

http://www.securityfocus.com/bid/93360

vdb-entryx_refsource_BID

http://www.openwall.com/lists/oss-security/2016/10/05/1

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 23, 2016
Vulnerability Reserved
Sep 9, 2016

CVE-2016-7967 Data

JSON

Kde

What is CVE-2016-7967?

References

CVSS V3.1

Timeline