https://bugs.kde.org/show_bug.cgi?id=305169
Bug ID: 305169
Severity: major
URL: http://www.securem.eu/test.vcf
Version: unspecified
Priority: NOR
CC: [email protected]
Assignee: [email protected]
Summary: XSS Injection in KAddressbook
Classification: Unclassified
OS: Linux
Reporter: [email protected]
Hardware: Archlinux Packages
Status: UNCONFIRMED
Component: general
Product: kaddressbook
There is a security hole in the 4.9 version of KAddressBook, more precisely a
XSS Injection is possible through a malicious vcard file, when imported.
Try to import the vcard http://www.securem.eu/test.vcf for example.
Additionally, the label for the TEL field is not displayed on my screen (maybe
a missing French translation ?). What about yours ?
Reproducible: Always
Steps to Reproduce:
1. Download the file http://www.securem.eu/test.vcf
2. Import it into KAddressBook
3. Show the corresponding profile "Mickaël Bergöm"
Actual Results:
HTML code in plaintext fields is evaluated and displayed as it
Expected Results:
The tags <h1> should be escaped and the "<" / ">" characters replaced by HTML
Entities...
Actually this hole will not compromise your computer as Javascript code seems
to be disabled / iframes too, for example.
But it still allows a malicious file displaying wrong things, or directing you
to another website (URL field with a link to a malware website : <a
href="booh.com">good.com</a>)
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Kdepim-bugs mailing list
[email protected]
https://mail.kde.org/mailman/listinfo/kdepim-bugs
