Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content.
mdeslaur | per ScottK: Affected package is kdepimlibs in 12.04 - 15.04 and it looks like both kcoreaddons and messagecomposer in later releases
tsimonq2 | An additional part to this was released, therefore we need additional commits on top of the initial fix.