Vulnerability Details CVE-2019-9147
Mailvelope prior to 3.1.0 is vulnerable to a clickjacking attack against the settings page. As the settings page is intended to be accessible from web applications, the browser's extension isolation mechanisms are disabled (web_accessible_resources). Mailvelope implements additional measures to prevent web applications from directly embedding the settings page, but this mechanism can be bypassed.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 48.3%
CVSS Severity
CVSS v3 Score 4.3
CVSS v2 Score 4.3
References
- https://github.com/mailvelope/mailvelope/blob/master/Changelog.md#v310
- https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.html
- https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.pdf?__blob=publicationFile&v=3
- https://github.com/mailvelope/mailvelope/blob/master/Changelog.md#v310
- https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.html
- https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.pdf?__blob=publicationFile&v=3
Products affected by CVE-2019-9147
-
cpe:2.3:a:mailvelope:mailvelope:0.10.0
-
cpe:2.3:a:mailvelope:mailvelope:0.10.2
-
cpe:2.3:a:mailvelope:mailvelope:0.10.3
-
cpe:2.3:a:mailvelope:mailvelope:0.10.4
-
cpe:2.3:a:mailvelope:mailvelope:0.11.0
-
cpe:2.3:a:mailvelope:mailvelope:0.12.0
-
cpe:2.3:a:mailvelope:mailvelope:0.12.1
-
cpe:2.3:a:mailvelope:mailvelope:0.13.0
-
cpe:2.3:a:mailvelope:mailvelope:0.13.1
-
cpe:2.3:a:mailvelope:mailvelope:0.13.2
-
cpe:2.3:a:mailvelope:mailvelope:0.4.0.1
-
cpe:2.3:a:mailvelope:mailvelope:0.4.1.0
-
cpe:2.3:a:mailvelope:mailvelope:0.4.2.0
-
cpe:2.3:a:mailvelope:mailvelope:0.4.3
-
cpe:2.3:a:mailvelope:mailvelope:0.5.0
-
cpe:2.3:a:mailvelope:mailvelope:0.5.1
-
cpe:2.3:a:mailvelope:mailvelope:0.5.1.1
-
cpe:2.3:a:mailvelope:mailvelope:0.5.2
-
cpe:2.3:a:mailvelope:mailvelope:0.5.2.2
-
cpe:2.3:a:mailvelope:mailvelope:0.5.3
-
cpe:2.3:a:mailvelope:mailvelope:0.5.4
-
cpe:2.3:a:mailvelope:mailvelope:0.5.4.1
-
cpe:2.3:a:mailvelope:mailvelope:0.5.4.2
-
cpe:2.3:a:mailvelope:mailvelope:0.5.5
-
cpe:2.3:a:mailvelope:mailvelope:0.6.0
-
cpe:2.3:a:mailvelope:mailvelope:0.6.1
-
cpe:2.3:a:mailvelope:mailvelope:0.6.2
-
cpe:2.3:a:mailvelope:mailvelope:0.6.3
-
cpe:2.3:a:mailvelope:mailvelope:0.6.4
-
cpe:2.3:a:mailvelope:mailvelope:0.6.5
-
cpe:2.3:a:mailvelope:mailvelope:0.6.6
-
cpe:2.3:a:mailvelope:mailvelope:0.7.0
-
cpe:2.3:a:mailvelope:mailvelope:0.8.0
-
cpe:2.3:a:mailvelope:mailvelope:0.8.1
-
cpe:2.3:a:mailvelope:mailvelope:0.8.2
-
cpe:2.3:a:mailvelope:mailvelope:0.8.3
-
cpe:2.3:a:mailvelope:mailvelope:0.9.0
-
cpe:2.3:a:mailvelope:mailvelope:1.0.0
-
cpe:2.3:a:mailvelope:mailvelope:1.0.1
-
cpe:2.3:a:mailvelope:mailvelope:1.0.2
-
cpe:2.3:a:mailvelope:mailvelope:1.1.0
-
cpe:2.3:a:mailvelope:mailvelope:1.2.0
-
cpe:2.3:a:mailvelope:mailvelope:1.2.1
-
cpe:2.3:a:mailvelope:mailvelope:1.2.2
-
cpe:2.3:a:mailvelope:mailvelope:1.2.3
-
cpe:2.3:a:mailvelope:mailvelope:1.3.0
-
cpe:2.3:a:mailvelope:mailvelope:1.3.1
-
cpe:2.3:a:mailvelope:mailvelope:1.3.2
-
cpe:2.3:a:mailvelope:mailvelope:1.3.3
-
cpe:2.3:a:mailvelope:mailvelope:1.3.4
-
cpe:2.3:a:mailvelope:mailvelope:1.3.5
-
cpe:2.3:a:mailvelope:mailvelope:1.3.6
-
cpe:2.3:a:mailvelope:mailvelope:1.4.0
-
cpe:2.3:a:mailvelope:mailvelope:1.5.0
-
cpe:2.3:a:mailvelope:mailvelope:1.5.1
-
cpe:2.3:a:mailvelope:mailvelope:1.5.2
-
cpe:2.3:a:mailvelope:mailvelope:1.6.0
-
cpe:2.3:a:mailvelope:mailvelope:1.6.1
-
cpe:2.3:a:mailvelope:mailvelope:1.6.2
-
cpe:2.3:a:mailvelope:mailvelope:1.6.3
-
cpe:2.3:a:mailvelope:mailvelope:1.6.4
-
cpe:2.3:a:mailvelope:mailvelope:1.6.5
-
cpe:2.3:a:mailvelope:mailvelope:1.7.0
-
cpe:2.3:a:mailvelope:mailvelope:1.7.1
-
cpe:2.3:a:mailvelope:mailvelope:1.7.2
-
cpe:2.3:a:mailvelope:mailvelope:1.8.0
-
cpe:2.3:a:mailvelope:mailvelope:1.8.1
-
cpe:2.3:a:mailvelope:mailvelope:2.0.0
-
cpe:2.3:a:mailvelope:mailvelope:2.1.0
-
cpe:2.3:a:mailvelope:mailvelope:2.1.1
-
cpe:2.3:a:mailvelope:mailvelope:2.2.0
-
cpe:2.3:a:mailvelope:mailvelope:2.2.1
-
cpe:2.3:a:mailvelope:mailvelope:2.2.2
-
cpe:2.3:a:mailvelope:mailvelope:3.0.0
-
cpe:2.3:a:mailvelope:mailvelope:3.0.1
-
cpe:2.3:a:mailvelope:mailvelope:3.0.2