Bug 369186

Summary: [security] XSS when viewing plain text mail
Product: [Applications] kmail2 Reporter: Florian Pritz <bluewind>
Component: UIAssignee: kdepim bugs <pim-bugs-null>
Status: RESOLVED FIXED    
Severity: critical CC: montel
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Arch Linux   
OS: Linux   
Latest Commit: Version Fixed/Implemented In: 5.3.2
Sentry Crash Report:
Attachments: test message containing XSS

Description Florian Pritz 2016-09-22 09:23:00 UTC 
When opening the following mail from the full-disclosure mailing list, I get a javascript alert window with the message "1" (without quotes):
[FD] SEC Consult SA-20160922-0 :: Potential backdoor access through multiple vulnerabilities in Kerio Control Unified Threat Management

Reproducible: Always

Steps to Reproduce:
Open the message attached to this report in kmail.

Actual Results:  
A javascript alert pops up instantly.

Expected Results:  
No alert window

Arch Linux
kmail 16.08.1-1 (version 5.3.0 in the about dialog)

Can't seem to attach the mail yet. I'll do so in a comment.
Comment 1 Florian Pritz 2016-09-22 09:23:31 UTC 
Created attachment 101225 [details]
test message containing XSS
Comment 2 Laurent Montel 2016-09-30 15:40:28 UTC 
Fixed in 5.3.2