CVE-2016-7966

NameCVE-2016-7966
DescriptionThrough a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-673-1, DSA-3697-1
Debian Bugs840546, 840547

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kcoreaddons (PTS)bullseye5.78.0-4fixed
bookworm5.103.0-1fixed
sid, trixie5.115.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kcoreaddonssource(unstable)5.26.0-3840547
kdepimlibssourcewheezy4:4.8.4-2+deb7u1DLA-673-1
kdepimlibssourcejessie4:4.14.2-2+deb8u2DSA-3697-1
kdepimlibssource(unstable)4:4.14.10-7840546

Notes

https://www.kde.org/info/security/advisory-20161006-1.txt
Search for package or bug name: Reporting problems