CVE-2016-7966 — HIGH (7.3) — White Hats Nepal

Q: How severe is CVE-2016-7966?

CVE-2016-7966 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2016-7966?

Check the references section above for vendor advisories and patch information. Affected products include: Kde Kmail, Debian Debian Linux, Fedoraproject Fedora, Suse Linux Enterprise.

Vulnerability Description

Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content.

CVSS Score

7.3

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Kde	Kmail	<= 4.4.0
Debian	Debian Linux	8.0
Fedoraproject	Fedora	25
Suse	Linux Enterprise	12.0

Related Weaknesses (CWE)

CWE-94

References

http://lists.opensuse.org/opensuse-updates/2016-10/msg00065.htmlThird Party Advisory
http://www.debian.org/security/2016/dsa-3697Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/10/05/1Third Party Advisory
http://www.securityfocus.com/bid/93360Third Party AdvisoryVDB Entry
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
http://lists.opensuse.org/opensuse-updates/2016-10/msg00065.htmlThird Party Advisory
http://www.debian.org/security/2016/dsa-3697Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/10/05/1Third Party Advisory
http://www.securityfocus.com/bid/93360Third Party AdvisoryVDB Entry
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro

FAQ

What is CVE-2016-7966?

CVE-2016-7966 is a vulnerability with a CVSS score of 7.3 (HIGH). Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sig...

How severe is CVE-2016-7966?

CVE-2016-7966 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-7966?

Check the references section above for vendor advisories and patch information. Affected products include: Kde Kmail, Debian Debian Linux, Fedoraproject Fedora, Suse Linux Enterprise.