[arch-security] [ASA-201610-4] kcoreaddons: insufficient validation
Chris.Rebischke at archlinux.org
Fri Oct 7 19:12:36 UTC 2016
Arch Linux Security Advisory ASA-201610-4
Date : 2016-10-07
CVE-ID : CVE-2016-7966
Package : kcoreaddons
Type : insufficient validation
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package kcoreaddons before version 5.26.0-2 is vulnerable to
Upgrade to 5.26.0-2.
# pacman -Syu "kcoreaddons>=5.26.0-2"
The problem has been fixed upstream but no release is available yet.
Through a malicious URL that contained a quote character it was
possible to inject HTML code in KMail's plain text viewer. Due to the
parser used on the URL it was not possible to include the equal sign
(=) or a space into the injected HTML, which greatly reduces the
available HTML functionality. Although it is possible to include an
HTML comment indicator to hide content.
A remote attacker is able to inject HTML code in KMail's plain text
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: not available
More information about the arch-security