CVE-2016-7967

CWE-94Code InjectionCWE-284Improper Access Control12 documents7 sources
Severity
8.1HIGH
EPSS
0.3%
top 46.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
KDE Kmail
Timeline
PublishedDec 23
Latest updateMay 17

Description

KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

NVDkde/kmail5.3.0
Ubuntukdepim< 4:4.13.3-0ubuntu0.1

🔴Vulnerability Details

3
GHSA
GHSA-99pq-r374-7jh3: KMail since version 52022-05-17
CVEList
CVE-2016-7967: KMail since version 52016-12-23
OSV
CVE-2016-7967: KMail since version 52016-12-23

📋Vendor Advisories

2
Red Hat
kdepim: JavaScript access to local and remote URLs in Kmail2016-10-04
Debian
CVE-2016-7967: kf5-messagelib - KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript ena...2016

💬Community

6
Bugzilla
CVE-2016-7967 kf5-messagelib: kdepim: JavaScript access to local and remote URLs in Kmail [fedora-all]2016-10-11
Bugzilla
CVE-2016-7966 CVE-2016-7967 CVE-2016-7968 kdepim4: various flaws [fedora-all]2016-10-06
Bugzilla
CVE-2016-7966 CVE-2016-7967 CVE-2016-7968 kdepim: various flaws [fedora-all]2016-10-06
Bugzilla
CVE-2016-7967 kdepim: JavaScript access to local and remote URLs in Kmail2016-10-06
Bugzilla
CVE-2016-7966 CVE-2016-7967 CVE-2016-7968 kdepim3: various flaws [epel-7]2016-10-06
CVE-2016-7967 (HIGH CVSS 8.1) | KMail since version 5.3.0 used a QW | cvebase.io