CVE-2016-7966
Severity CVSS v4.0:
Pending analysis
Type:
CWE-94
Code Injection
Publication date:
23/12/2016
Last modified:
12/04/2025
Description
Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content.
Impact
Base Score 3.x
7.30
Severity 3.x
HIGH
Base Score 2.0
7.50
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:kde:kmail:*:*:*:*:*:*:*:* | 4.4.0 (including) | |
| cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fedoraproject:fedora:25:*:*:*:*:*:*:* | ||
| cpe:2.3:o:suse:linux_enterprise:12.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://lists.opensuse.org/opensuse-updates/2016-10/msg00065.html
- http://www.debian.org/security/2016/dsa-3697
- http://www.openwall.com/lists/oss-security/2016/10/05/1
- http://www.securityfocus.com/bid/93360
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNMM5TVPTJQFPJ3YDF4DPXDFW3GQLWLY/
- http://lists.opensuse.org/opensuse-updates/2016-10/msg00065.html
- http://www.debian.org/security/2016/dsa-3697
- http://www.openwall.com/lists/oss-security/2016/10/05/1
- http://www.securityfocus.com/bid/93360
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNMM5TVPTJQFPJ3YDF4DPXDFW3GQLWLY/