369186 – [security] XSS when viewing plain text mail

Bug 369186 - [security] XSS when viewing plain text mail

Summary: [security] XSS when viewing plain text mail

Status:	RESOLVED FIXED

Alias:	None

Product:	kmail2
Classification:	Applications
Component:	UI (show other bugs)
Version:	unspecified
Platform:	Arch Linux Linux

Importance:	NOR critical
Target Milestone:	---
Assignee:	kdepim bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-09-22 09:23 UTC by Florian Pritz
Modified:	2016-09-30 15:40 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:
Version Fixed In:	5.3.2

Attachments
test message containing XSS (30.89 KB, application/mbox) 2016-09-22 09:23 UTC, Florian Pritz	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Pritz 2016-09-22 09:23:00 UTC

When opening the following mail from the full-disclosure mailing list, I get a javascript alert window with the message "1" (without quotes):
[FD] SEC Consult SA-20160922-0 :: Potential backdoor access through multiple vulnerabilities in Kerio Control Unified Threat Management

Reproducible: Always

Steps to Reproduce:
Open the message attached to this report in kmail.

Actual Results:  
A javascript alert pops up instantly.

Expected Results:  
No alert window

Arch Linux
kmail 16.08.1-1 (version 5.3.0 in the about dialog)

Can't seem to attach the mail yet. I'll do so in a comment.

Comment 1 Florian Pritz 2016-09-22 09:23:31 UTC

Created attachment 101225 [details]
test message containing XSS

Comment 2 Laurent Montel 2016-09-30 15:40:28 UTC

Fixed in 5.3.2