CVE-2016-7966

2016-10-05T00:00:00
ID UB:CVE-2016-7966
Type ubuntucve
Reporter ubuntu.com
Modified 2016-10-05T00:00:00

Description

Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content.

Bugs

  • <https://bugs.launchpad.net/bugs/1630700>
  • <https://bugs.launchpad.net/bugs/1631237>

Notes

Author| Note
---|---
mdeslaur | per ScottK: Affected package is kdepimlibs in 12.04 - 15.04 and it looks like both kcoreaddons and messagecomposer in later releases
tsimonq2 | An additional part to this was released, therefore we need additional commits on top of the initial fix.