|Description||Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)|
|NVD severity||high (attack range: remote)|
|Debian Bugs||840546, 840547|
Vulnerable and fixed packages
The table below lists information on source packages.
|jessie (security), jessie||4:4.14.2-2+deb8u2||fixed|
|buster, stretch, sid||4:4.14.10-7||fixed|
The information below is based on the following data on fixed versions.