Description
KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled.
CVSS Metrics
- Vector
- CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
- Attack Vector
- network
- Complexity
- low
- Privileges
- none
- User Action
- required
- Scope
- unchanged
- Confidentiality
- high
- Integrity
- high
- Availability
- none
- Weaknesses
- CWE-94CWE-284
Metadata
- Primary Vendor
- KDE
- Published
- 12/23/2016
- Last Modified
- 4/12/2025
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
kde : kmail
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.