ASA-201610-4 log original external raw
[ASA-201610-4] kcoreaddons: insufficient validation |
---|
Arch Linux Security Advisory ASA-201610-4
=========================================
Severity: Medium
Date : 2016-10-07
CVE-ID : CVE-2016-7966
Package : kcoreaddons
Type : insufficient validation
Remote : Yes
Link : https://security.archlinux.org/AVG-43
Summary
=======
The package kcoreaddons before version 5.26.0-2 is vulnerable to
insufficient validation.
Resolution
==========
Upgrade to 5.26.0-2.
# pacman -Syu "kcoreaddons>=5.26.0-2"
The problem has been fixed upstream but no release is available yet.
Workaround
==========
None.
Description
===========
Through a malicious URL that contained a quote character it was
possible to inject HTML code in KMail's plain text viewer. Due to the
parser used on the URL it was not possible to include the equal sign
(=) or a space into the injected HTML, which greatly reduces the
available HTML functionality. Although it is possible to include an
HTML comment indicator to hide content.
Impact
======
A remote attacker is able to inject HTML code in KMail's plain text
viewer.
References
==========
https://www.kde.org/info/security/advisory-20161006-1.txt
http://seclists.org/oss-sec/2016/q4/23
https://security.archlinux.org/CVE-2016-7966
|