Bug ID: 369186
           Summary: [security] XSS when viewing plain text mail
           Product: kmail2
           Version: unspecified
          Platform: Archlinux Packages
                OS: Linux
            Status: UNCONFIRMED
          Severity: critical
          Priority: NOR
         Component: UI

When opening the following mail from the full-disclosure mailing list, I get a
javascript alert window with the message "1" (without quotes):
[FD] SEC Consult SA-20160922-0 :: Potential backdoor access through multiple
vulnerabilities in Kerio Control Unified Threat Management

Reproducible: Always

Steps to Reproduce:
Open the message attached to this report in kmail.

Actual Results:  
A javascript alert pops up instantly.

Expected Results:  
No alert window

Arch Linux
kmail 16.08.1-1 (version 5.3.0 in the about dialog)

Can't seem to attach the mail yet. I'll do so in a comment.

You are receiving this mail because:
You are watching all bug changes.

Reply via email to