REDHAT-BUG-733504

First published: Thu Aug 25 2011(Updated: )

This is another Evolution security issue that I found upstream but presume also affects Fedora and would like to put on the Fedora security team's radar. If my filing such bugs is not appreciated, please let me know and I will stop. Description of problem: Evolution registers a "mailto:" URL handler that accepts a parameter to attach a local file. Thus, a web site can launch the composer on an email with a confidential file attached and try to trick the user into sending it. Version-Release number of selected component (if applicable): Upstream gnome-3-0 branch as of 2011-08-24 How reproducible: Always Steps to Reproduce: 1. Go to <a href="https://mattmccutchen.net/private/evolution-mailto-test">https://mattmccutchen.net/private/evolution-mailto-test</a> . 2. Click "Send" in the composer. Actual results: Your SSH private key is emailed to me. Expected results: A prompt is shown and you decline to attach the private key.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/references
• agent/type
• agent/first-publish-date
• agent/last-modified-date
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2011-3201
• agent/severity
• agent/description
• agent/event
• agent/trending
• agent/source
• agent/tags
• agent/softwarecombine
• agent/guess-ai
• agent/software-canonical-lookup
• agent/software-canonical-lookup-request
• vendor/gnome
• canonical/gnome evolution