CVE-2018-6790 — Sensitive Information Exposure in Plasma-workspace

CWE-200 — Sensitive Information Exposure CWE-20 — Improper Input Validation9 documents7 sources

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 54.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

KDE Plasma-workspace

Timeline

PublishedFeb 7

Latest updateMay 14

Description

An issue was discovered in KDE Plasma Workspace before 5.12.0. dataengines/notifications/notificationsengine.cpp allows remote attackers to discover client IP addresses via a URL in a notification, as demonstrated by the src attribute of an IMG element.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDkde/plasma-workspace< 5.12.0

▶Debiankde/plasma-workspace< 4:5.12.0-2+3

🔴Vulnerability Details

GHSA

GHSA-q5wj-8g6x-hgg2: An issue was discovered in KDE Plasma Workspace before 5↗2022-05-14

▶

CVEList

CVE-2018-6790: An issue was discovered in KDE Plasma Workspace before 5↗2018-02-07

▶

OSV

CVE-2018-6790: An issue was discovered in KDE Plasma Workspace before 5↗2018-02-07

▶

📋Vendor Advisories

Red Hat

kde-workspace: Missing sanitization of notifications allows to leak client IP address via IMG element↗2018-02-08

▶

Debian

CVE-2018-6790: plasma-workspace - An issue was discovered in KDE Plasma Workspace before 5.12.0. dataengines/notif...↗2018

▶

💬Community

Bugzilla

CVE-2018-6790 CVE-2018-6791 plasma-workspace: various flaws [fedora-all]↗2018-02-08

▶

Bugzilla

CVE-2018-6790 kde-workspace: Missing sanitization of notifications allows to leak client IP address via IMG element [fedora-all]↗2018-02-08

▶

Bugzilla

CVE-2018-6790 kde-workspace: Missing sanitization of notifications allows to leak client IP address via IMG element↗2018-02-08

▶