CVE-2019-9149
CVE-2019-9149 affects Mailvelope prior to 3.3.0. An attacker can trigger private key operations without user interaction by tampering a URL parameter in Mailvelope’s client-API, allowing signing (and encrypting) arbitrary messages if the private key password is cached. A separate issue enables de...