DescriptionKMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. HTML Mail contents were not sanitized for JavaScript and included code was executed.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kf5-messagelib (PTS)buster4:18.08.3-2fixed
sid, trixie4:22.12.3-2.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kf5-messagelibsource(unstable)(not affected)


- kf5-messagelib <not-affected> (Doesn't use qtwebengine, see bug #853241)
Would by fixed by:
and building with Qt 5.7.0.
Following patches partly sanitize mails but still make it possible to inject code: (v16.08.2) (v16.08.2) (v16.08.2) (v16.08.2) (v16.08.2)
The issue is mitigated with the fixes applied for CVE-2016-7966, and a
user protected from this CVE by only viewing plain text mails.

Search for package or bug name: Reporting problems