*** This bug is a security vulnerability *** Public security bug reported:
Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plain text viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content. Note: Affected package is kdepimlibs in 12.04 - 15.04 and it looks like both kcoreaddons and messagecomposer in later releases. ** Affects: kdepimlibs (Ubuntu) Importance: High Status: Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1631237 Title: KMail: HTML injection in plain text viewer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdepimlibs/+bug/1631237/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs