https://bugs.kde.org/show_bug.cgi?id=305169
Bug ID: 305169 Severity: major URL: http://www.securem.eu/test.vcf Version: unspecified Priority: NOR CC: to...@kde.org Assignee: kdepim-bugs@kde.org Summary: XSS Injection in KAddressbook Classification: Unclassified OS: Linux Reporter: mpri...@laposte.net Hardware: Archlinux Packages Status: UNCONFIRMED Component: general Product: kaddressbook There is a security hole in the 4.9 version of KAddressBook, more precisely a XSS Injection is possible through a malicious vcard file, when imported. Try to import the vcard http://www.securem.eu/test.vcf for example. Additionally, the label for the TEL field is not displayed on my screen (maybe a missing French translation ?). What about yours ? Reproducible: Always Steps to Reproduce: 1. Download the file http://www.securem.eu/test.vcf 2. Import it into KAddressBook 3. Show the corresponding profile "Mickaël Bergöm" Actual Results: HTML code in plaintext fields is evaluated and displayed as it Expected Results: The tags <h1> should be escaped and the "<" / ">" characters replaced by HTML Entities... Actually this hole will not compromise your computer as Javascript code seems to be disabled / iframes too, for example. But it still allows a malicious file displaying wrong things, or directing you to another website (URL field with a link to a malware website : <a href="booh.com">good.com</a>) -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ Kdepim-bugs mailing list Kdepim-bugs@kde.org https://mail.kde.org/mailman/listinfo/kdepim-bugs