Sensitive Information Exposure in KDE's KIO and KDELISBS Software
CVE-2017-6410

5.5MEDIUM

Key Information:

Vendor

Kde

Status
Kdelibs
Kio
Vendor
CVE Published:
2 March 2017

What is CVE-2017-6410?

A vulnerability exists in KDE's KIO and kdelibs due to improper handling of full HTTPS URLs in the PAC FindProxyForURL function. This flaw allows malicious users to craft PAC files that may lead to the exposure of sensitive information, including Basic Authentication credentials and query strings. Proper validation and sanitization of inputs are crucial to mitigate the risk associated with this vulnerability.

References

http://www.debian.org/security/2017/dsa-3849
vendor-advisoryx_refsource_DEBIAN
http://www.securityfocus.com/bid/96515
vdb-entryx_refsource_BID
https://www.kde.org/info/security/advisory-20170228-1.txt
x_refsource_CONFIRM

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.