Kde Kdelibs vulnerabilities

CVE-2015-7543 [HIGH] CWE-362 CVE-2015-7543: aRts 1.5.10 and kdelibs3 3.5.10 and earlier do not properly create temporary directories, which allo aRts 1.5.10 and kdelibs3 3.5.10 and earlier do not properly create temporary directories, which allows local users to hijack the IPC by pre-creating the temporary directory.

CVE-2017-8422 [HIGH] CWE-290 CVE-2017-8422: KDE kdelibs before 4.14.32 and KAuth before 5.34 allow local users to gain root privileges by spoofi KDE kdelibs before 4.14.32 and KAuth before 5.34 allow local users to gain root privileges by spoofing a callerID and leveraging a privileged helper app.

CVE-2017-6410 [MEDIUM] CWE-319 CVE-2017-6410: kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 calls the PAC FindProxyForURL func kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 calls the PAC FindProxyForURL function with a full https URL (potentially including Basic Authentication credentials, a query string, or PATH_INFO), which allows remote attackers to obtain sensitive information via a crafted PAC file.

CVE-2014-5033 [MEDIUM] CVE-2014-5033: KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a po KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions."

CVE-2014-3494 [MEDIUM] CWE-200 CVE-2014-3494: kio/usernotificationhandler.cpp in the POP3 kioslave in kdelibs 4.10.95 before 4.13.3 does not prope kio/usernotificationhandler.cpp in the POP3 kioslave in kdelibs 4.10.95 before 4.13.3 does not properly generate warning notifications, which allows man-in-the-middle attackers to obtain sensitive information via an invalid certificate.

CVE-2013-2074 [MEDIUM] CWE-200 CVE-2013-2074: kioslave/http/http.cpp in KIO in kdelibs 4.10.3 and earlier allows attackers to discover credentials kioslave/http/http.cpp in KIO in kdelibs 4.10.3 and earlier allows attackers to discover credentials via a crafted request that triggers an "internal server error," which includes the username and password in an error message.

CVE-2009-2702 [HIGH] CWE-310 CVE-2009-2702: KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a '\0' character in a domain name KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

CVE-2004-1165 [HIGH] CVE-2004-1165: Konqueror 3.3.1 allows remote attackers to execute arbitrary FTP commands via an ftp:// URL that con Konqueror 3.3.1 allows remote attackers to execute arbitrary FTP commands via an ftp:// URL that contains a URL-encoded newline ("%0a") before the FTP command, which causes the commands to be inserted into the resulting FTP session, as demonstrated using a PORT command.