https://bugs.kde.org/show_bug.cgi?id=369186
Bug ID: 369186 Summary: [security] XSS when viewing plain text mail Product: kmail2 Version: unspecified Platform: Archlinux Packages OS: Linux Status: UNCONFIRMED Severity: critical Priority: NOR Component: UI Assignee: kdepim-b...@kde.org Reporter: bluew...@xinu.at When opening the following mail from the full-disclosure mailing list, I get a javascript alert window with the message "1" (without quotes): [FD] SEC Consult SA-20160922-0 :: Potential backdoor access through multiple vulnerabilities in Kerio Control Unified Threat Management Reproducible: Always Steps to Reproduce: Open the message attached to this report in kmail. Actual Results: A javascript alert pops up instantly. Expected Results: No alert window Arch Linux kmail 16.08.1-1 (version 5.3.0 in the about dialog) Can't seem to attach the mail yet. I'll do so in a comment. -- You are receiving this mail because: You are watching all bug changes.