CVE-2019-10741 — MEDIUM (4.3)

Vulnerability Description

K-9 Mail v5.600 can include the original quoted HTML code of a specially crafted, benign looking, email within (digitally signed) reply messages. The quoted part can contain conditional statements that show completely different text if opened in a different email client. This can be abused by an attacker to obtain valid S/MIME or PGP signatures for arbitrary content to be displayed to a third party. NOTE: the vendor states "We don't plan to take any action because of this."

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
K-9 Mail Project	K-9 Mail	5.600

Related Weaknesses (CWE)

CWE-254

References

https://github.com/k9mail/k-9/issues/3925Third Party Advisory
https://github.com/k9mail/k-9/issues/3925Third Party Advisory

FAQ

What is CVE-2019-10741?

CVE-2019-10741 is a vulnerability with a CVSS score of 4.3 (MEDIUM). K-9 Mail v5.600 can include the original quoted HTML code of a specially crafted, benign looking, email within (digitally signed) reply messages. The quoted part can contain conditional statements tha...

How severe is CVE-2019-10741?

CVE-2019-10741 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-10741?

Check the references section above for vendor advisories and patch information. Affected products include: K-9 Mail Project K-9 Mail.