Lucene search

[email protected]CVE-2016-7966

HistoryDec 23, 2016 - 10:59 p.m.

CVE-2016-7966

2016-12-2322:59:00

CWE-94

[email protected]

web.nvd.nist.gov

cve-2016-7966

html injection

kmail

plaintext viewer

security vulnerability

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

7 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.008 Low

EPSS

Percentile

81.5%

JSON

Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail’s plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content.

CPENameOperatorVersion
kde:kmailkde kmaille4.4.0
debian:debian_linuxdebian debian linuxeq8.0
fedoraproject:fedorafedoraproject fedoraeq25
suse:linux_enterprisesuse linux enterpriseeq12.0

CPE	Name	Operator	Version
kde:kmail	kde kmail	le	4.4.0
debian:debian_linux	debian debian linux	eq	8.0
fedoraproject:fedora	fedoraproject fedora	eq	25
suse:linux_enterprise	suse linux enterprise	eq	12.0