Vigil@nce - KDE: execution of JavaScript code in KMail
August 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send an email containing JavaScript code, which is
executed when the recipient opens the mail in KDE KMail.
Severity: 2/4
Creation date: 13/07/2012
IMPACTED PRODUCTS
– Fedora
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The KDE PIM KMail program is a messaging client for the KDE
environment.
The HTMLQuoteColorer::process() method of the
messageviewer/htmlquotecolorer.cpp file colorizes email quotes,
which start by the character ’>’ or ’|’. However,
HTMLQuoteColorer::process() does does filter JavaScript, Java
applets, nor plugins.
An attacker can therefore send an email containing JavaScript
code, which is executed when the recipient opens the mail in KDE
KMail.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/KDE-execution-of-JavaScript-code-in-KMail-11772