Filtered by vendor Kde Subscriptions
Total 197 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2019-14744 6 Canonical, Debian, Fedoraproject and 3 more 10 Ubuntu Linux, Debian Linux, Fedora and 7 more 2024-11-21 7.8 High
In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.
CVE-2019-10732 2 Debian, Kde 2 Debian Linux, Kmail 2024-11-21 4.3 Medium
In KDE KMail 5.2.3, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker.
CVE-2018-6791 2 Debian, Kde 2 Debian Linux, Plasma-workspace 2024-11-21 N/A
An issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE Plasma Workspace before 5.12.0. When a vfat thumbdrive that contains `` or $() in its volume label is plugged in and mounted through the device notifier, it's interpreted as a shell command, leading to a possibility of arbitrary command execution. An example of an offending volume label is "$(touch b)" -- this will create a file called b in the home folder.
CVE-2018-6790 2 Kde, Redhat 2 Plasma-workspace, Enterprise Linux 2024-11-21 N/A
An issue was discovered in KDE Plasma Workspace before 5.12.0. dataengines/notifications/notificationsengine.cpp allows remote attackers to discover client IP addresses via a URL in a notification, as demonstrated by the src attribute of an IMG element.
CVE-2018-19516 1 Kde 1 Kde Applications 2024-11-21 5.3 Medium
messagepartthemes/default/defaultrenderer.cpp in messagelib in KDE Applications before 18.12.0 does not properly restrict the handling of an http-equiv="REFRESH" value.
CVE-2018-19120 1 Kde 1 Kde Applications 2024-11-21 N/A
The HTML thumbnailer plugin in KDE Applications before 18.12.0 allows attackers to trigger outbound TCP connections to arbitrary IP addresses, leading to disclosure of the source IP address.
CVE-2018-10380 3 Debian, Kde, Opensuse 3 Debian Linux, Plasma, Leap 2024-11-21 N/A
kwallet-pam in KDE KWallet before 5.12.6 allows local users to obtain ownership of arbitrary files via a symlink attack.
CVE-2018-10361 1 Kde 1 Ktexteditor 2024-11-21 N/A
An issue was discovered in KTextEditor 5.34.0 through 5.45.0. Insecure handling of temporary files in the KTextEditor's kauth_ktexteditor_helper service (as utilized in the Kate text editor) can allow other unprivileged users on the local system to gain root privileges. The attack occurs when one user (who has an unprivileged account but is also able to authenticate as root) writes a text file using Kate into a directory owned by a another unprivileged user. The latter unprivileged user conducts a symlink attack to achieve privilege escalation.
CVE-2018-1000801 3 Debian, Kde, Redhat 3 Debian Linux, Okular, Enterprise Linux 2024-11-21 N/A
okular version 18.08 and earlier contains a Directory Traversal vulnerability in function "unpackDocumentArchive(...)" in "core/document.cpp" that can result in Arbitrary file creation on the user workstation. This attack appear to be exploitable via he victim must open a specially crafted Okular archive. This issue appears to have been corrected in version 18.08.1
CVE-2017-9604 1 Kde 3 Kde, Kmail, Messagelib 2024-11-21 N/A
KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE Applications before 17.04.2, do not ensure that a plugin's sign/encrypt action occurs during use of the Send Later feature, which allows remote attackers to obtain sensitive information by sniffing the network.
CVE-2017-8422 2 Kde, Redhat 3 Kauth, Kdelibs, Enterprise Linux 2024-11-21 N/A
KDE kdelibs before 4.14.32 and KAuth before 5.34 allow local users to gain root privileges by spoofing a callerID and leveraging a privileged helper app.
CVE-2017-6410 1 Kde 2 Kdelibs, Kio 2024-11-21 N/A
kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 calls the PAC FindProxyForURL function with a full https URL (potentially including Basic Authentication credentials, a query string, or PATH_INFO), which allows remote attackers to obtain sensitive information via a crafted PAC file.
CVE-2017-5330 2 Fedoraproject, Kde 2 Fedora, Ark 2024-11-21 N/A
ark before 16.12.1 might allow remote attackers to execute arbitrary code via an executable in an archive, related to associated applications.
CVE-2017-17689 16 9folders, Apple, Bloop and 13 more 17 Nine, Mail, Airmail and 14 more 2024-11-21 N/A
The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL.
CVE-2016-7968 1 Kde 1 Kmail 2024-11-21 N/A
KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. HTML Mail contents were not sanitized for JavaScript and included code was executed.
CVE-2016-7967 1 Kde 1 Kmail 2024-11-21 N/A
KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled.
CVE-2016-7966 4 Debian, Fedoraproject, Kde and 1 more 4 Debian Linux, Fedora, Kmail and 1 more 2024-11-21 N/A
Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content.
CVE-2016-7787 2 Kde, Opensuse 3 Kde-cli-tools, Leap, Opensuse 2024-11-21 N/A
A maliciously crafted command line for kdesu can result in the user only seeing part of the commands that will actually get executed as super user.
CVE-2016-6232 2 Canonical, Kde 2 Ubuntu Linux, Karchives 2024-11-21 N/A
Directory traversal vulnerability in KArchive before 5.24, as used in KDE Frameworks, allows remote attackers to write to arbitrary files via a ../ (dot dot slash) in a filename in an archive file, related to KNewsstuff downloads.
CVE-2016-3100 2 Kde, Opensuse 3 Kde Frameworks, Leap, Opensuse 2024-11-21 N/A
kinit in KDE Frameworks before 5.23.0 uses weak permissions (644) for /tmp/xauth-xxx-_y, which allows local users to obtain X11 cookies of other users and consequently capture keystrokes and possibly gain privileges by reading the file.