https://bugs.kde.org/show_bug.cgi?id=369186
Bug ID: 369186
Summary: [security] XSS when viewing plain text mail
Product: kmail2
Version: unspecified
Platform: Archlinux Packages
OS: Linux
Status: UNCONFIRMED
Severity: critical
Priority: NOR
Component: UI
Assignee: kdepim-bugs@kde.org
Reporter: bluew...@xinu.at
When opening the following mail from the full-disclosure mailing list, I get a
javascript alert window with the message "1" (without quotes):
[FD] SEC Consult SA-20160922-0 :: Potential backdoor access through multiple
vulnerabilities in Kerio Control Unified Threat Management
Reproducible: Always
Steps to Reproduce:
Open the message attached to this report in kmail.
Actual Results:
A javascript alert pops up instantly.
Expected Results:
No alert window
Arch Linux
kmail 16.08.1-1 (version 5.3.0 in the about dialog)
Can't seem to attach the mail yet. I'll do so in a comment.
--
You are receiving this mail because:
You are the assignee for the bug.
