发布时间 :2005-05-02 00:00:00
修订时间 :2008-09-05 16:46:11

[原文]KMail 1.7.1 in KDE 3.3.2 allows remote attackers to spoof email information, such as whether the email has been digitally signed or encrypted, via HTML formatted email.

[CNNVD]KDE KMail HTML EMail远程欺骗Email内容漏洞(CNNVD-200505-534)

        KDE KMail中存在远程邮件消息内容欺骗漏洞,起因是应用程序不能正确的过滤HTML邮件消息。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  MLIST  [kmail-devel] 20050215 [Bug 96020] HTML Allows Spoofing of Emails Content

- 漏洞信息

KDE KMail HTML EMail远程欺骗Email内容漏洞
中危 输入验证
2005-05-02 00:00:00 2005-10-20 00:00:00
        KDE KMail中存在远程邮件消息内容欺骗漏洞,起因是应用程序不能正确的过滤HTML邮件消息。

- 公告与补丁


- 漏洞信息

KDE KMail User Interface HTML Overlay Spoofing
Loss of Integrity Patch / RCS
Exploit Public Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-12-30 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

KDE KMail HTML EMail Remote Email Content Spoofing Vulnerability
Input Validation Error 13085
Yes No
2005-04-11 12:00:00 2009-07-12 12:56:00
Noam Rathaus is credited with the discovery of this issue.

- 受影响的程序版本

KDE kmail 1.7.1
+ KDE KDE 3.3.2
+ KDE KDE 3.3.2

- 漏洞讨论

A remote email message content spoofing vulnerability affects KDE KMail. This issue is due to a failure of the application to properly sanitize HTML email messages.

An attacker may leverage this issue to spoof email content and various header fields of email messages. This may aid an attacker in conducting phishing and social engineering attacks by spoofing PGP keys as well as other critical information.

- 漏洞利用

No exploit is required to leverage this issue. The following proof of concept has been made available:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.

- 相关参考