When opening the following mail from the full-disclosure mailing list, I get a javascript alert window with the message "1" (without quotes): [FD] SEC Consult SA-20160922-0 :: Potential backdoor access through multiple vulnerabilities in Kerio Control Unified Threat Management Reproducible: Always Steps to Reproduce: Open the message attached to this report in kmail. Actual Results: A javascript alert pops up instantly. Expected Results: No alert window Arch Linux kmail 16.08.1-1 (version 5.3.0 in the about dialog) Can't seem to attach the mail yet. I'll do so in a comment.
Created attachment 101225 [details] test message containing XSS
Fixed in 5.3.2