Latest Kde Vulnerabilities

CVE-2022-24986
KDE KCron through 21.12.2 uses a temporary file in /tmp when saving, but reuses the filename during an editing session. Thus, someone watching it be created the first time could potentially intercept ...
KDE KCron<=21.12.2
CVE-2022-23853
The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2 and KTextEditor before 5.91.0 tries to execute the associated LSP server binary when opening a file of a given type. If this binary...
<21.12.2
<5.91.0
KDE Kate<21.12.2
Kde Ktexteditor<5.91.0
CVE-2021-38373
In KDE KMail 19.12.3 (aka 5.13.3), the SMTP STARTTLS option is not honored (and cleartext messages are sent) unless "Server requires authentication" is checked.
KDE KMail=19.12.3
CVE-2021-36083
KDE KImageFormats 5.70.0 through 5.81.0 has a stack-based buffer overflow in XCFImageFormat::loadTileRLE.
KDE KImageFormats>=5.70.0<=5.81.0
CVE-2021-31855
KDE Messagelib through 5.17.0 reveals cleartext of encrypted messages in some situations. Deleting an attachment of a decrypted encrypted message stored on a remote server (e.g., an IMAP server) cause...
KDE Messagelib<=5.17.0
CVE-2021-28117
libdiscover/backends/KNSBackend/KNSResource.cpp in KDE Discover before 5.21.3 automatically creates links to potentially dangerous URLs (that are neither https:// nor http://) based on the content of ...
KDE Discover<5.21.3
CVE-2020-27187
kpmcore_externalcommand helper contains a logic flaw in which the service invoking dbus is not properly checked. An attacker on your local machine can replace /etc/fstab, execute mount and other parti...
redhat/kpmcore<4.2.0
KDE Partition Manager>=4.1.0<4.2.0
CVE-2020-26164
In kdeconnect-kde (aka KDE Connect) before 20.08.2, an attacker on the local network could send crafted packets that trigger use of large amounts of CPU, memory, or network connection slots, aka a Den...
Kde Kdeconnect<20.08.2
openSUSE Backports SLE=15.0-sp1
openSUSE Backports SLE=15.0-sp2
openSUSE Leap=15.1
openSUSE Leap=15.2
CVE-2020-24654
In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user's home directory.
debian/ark<=4:20.08.0-1<=4:18.08.3-1+deb10u1<=4:18.08.3-1
KDE Ark<20.08.1
Canonical Ubuntu Linux=16.04
Canonical Ubuntu Linux=18.04
Canonical Ubuntu Linux=20.04
Debian Debian Linux=10.0
and 9 more
CVE-2020-16116
In kerfuffle/jobs.cpp in KDE Ark before 20.08.0, a crafted archive can install files outside the extraction directory via ../ directory traversal.
ubuntu/ark<4:17.12.3-0ubuntu1.1
ubuntu/ark<4:19.12.3-0ubuntu1.1
ubuntu/ark<4:20.04.3-1
debian/ark
KDE Ark<20.08.0
Debian Debian Linux=9.0
and 7 more
CVE-2020-15954
KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 communication during times when the UI indicates that encryption is in use.
KDE KMail=19.12.3
Debian Debian Linux=9.0
CVE-2020-13152
A remote user can create a specially crafted M3U file, media playlist file that when loaded by the target user, will trigger a memory leak, whereby Amarok 2.8.0 continue to waste resources over time, ...
=2.8.0
CVE-2020-12755
fishProtocol::establishConnection in fish/fish.cpp in KDE kio-extras through 20.04.0 makes a cacheAuthentication call even if the user had not set the keepPassword option. This may lead to unintended ...
KDE kio-extras<=20.04.0
CVE-2020-11880
An issue was discovered in KDE KMail before 19.12.3. By using the proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or other source of mailto links) can make KMail attach local files...
KDE KMail<19.12.3
CVE-2020-9359
KDE Okular before 1.10.0 allows code execution via an action link in a PDF document.
KDE Okular<1.10.0
KDE Okular>=19.12.0<19.12.3
Debian Debian Linux=8.0
Fedoraproject Fedora=30
Fedoraproject Fedora=31
Fedoraproject Fedora=32
CVE-2018-19516
messagepartthemes/default/defaultrenderer.cpp in messagelib in KDE Applications before 18.12.0 does not properly restrict the handling of an http-equiv="REFRESH" value.
Kde Kde Applications<18.12
CVE-2013-2213
The KRandom::random function in KDE Paste Applet after 4.10.5 in kdeplasma-addons uses the GNU C Library rand function's linear congruential generator, which makes it easier for context-dependent atta...
KDE Paste Applet>4.10.5
CVE-2013-2120
The %{password(...)} macro in pastemacroexpander.cpp in the KDE Paste Applet before 4.10.5 in kdeplasma-addons does not properly generate passwords, which allows context-dependent attackers to bypass ...
KDE Paste Applet<4.10.5
CVE-2012-4512
The CSS parser (khtml/css/cssparser.cpp) in Konqueror in KDE 4.7.3 allows remote attackers to cause a denial of service (crash) and possibly read memory via a crafted font face source, related to "typ...
KDE KDE=4.7.3
Redhat Enterprise Linux=6.0
Redhat Enterprise Linux Desktop=6.0
Redhat Enterprise Linux Server Eus=6.3
Redhat Enterprise Linux Workstation=6.0
CVE-2013-4133
kde-workspace before 4.10.5 has a memory leak in plasma desktop
Kde Kde-workspace<4.10.5
Debian Debian Linux=8.0
debian/kde-workspace
CVE-2019-14744
In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling ...
Kde Kconfig<5.61.0
Debian Debian Linux=9.0
Debian Debian Linux=10.0
Fedoraproject Fedora=29
Fedoraproject Fedora=30
openSUSE Backports SLE=15.0-sp1
and 15 more
CVE-2019-7443
KDE KAuth before 5.55 allows the passing of parameters with arbitrary types to helpers running as root over DBus via DBusHelperProxy.cpp. Certain types can cause crashes, and trigger the decoding of a...
KDE KAuth<5.55.0
openSUSE Leap=15.0
openSUSE Leap=42.3
Opensuse Backports
SUSE Linux Enterprise=15.0
Fedoraproject Fedora=28
and 1 more
CVE-2019-10732
In KDE KMail 5.2.3, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS ...
KDE KMail=5.2.3
Debian Debian Linux=8.0
CVE-2018-19120
The HTML thumbnailer plugin in KDE Applications before 18.12.0 allows attackers to trigger outbound TCP connections to arbitrary IP addresses, leading to disclosure of the source IP address.
Kde Kde Applications<18.12.0
redhat/kio-extras<18.12.0
CVE-2018-1000801
okular version 18.08 and earlier contains a Directory Traversal vulnerability in function "unpackDocumentArchive(...)" in "core/document.cpp" that can result in Arbitrary file creation on the user wor...
debian/okular
KDE Okular<=18.08
Debian Debian Linux=8.0
Debian Debian Linux=9.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203