Kde: Security Vulnerabilities
An issue was discovered in KDE Partition Manager 4.1.0 before 4.2.0. The kpmcore_externalcommand helper contains a logic flaw in which the service invoking D-Bus is not properly checked. An attacker on the local machine can replace /etc/fstab, and execute mount and other partitioning related commands, while KDE Partition Manager is running. the mount command can then be used to gain full root privileges.
CVSS Score
7.8
EPSS Score
0.001
Published
2020-10-26
In kdeconnect-kde (aka KDE Connect) before 20.08.2, an attacker on the local network could send crafted packets that trigger use of large amounts of CPU, memory, or network connection slots, aka a Denial of Service attack.
CVSS Score
5.5
EPSS Score
0.001
Published
2020-10-07
In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user's home directory.
CVSS Score
3.3
EPSS Score
0.008
Published
2020-09-02
In kerfuffle/jobs.cpp in KDE Ark before 20.08.0, a crafted archive can install files outside the extraction directory via ../ directory traversal.
CVSS Score
3.3
EPSS Score
0.009
Published
2020-08-03
KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 communication during times when the UI indicates that encryption is in use.
CVSS Score
6.5
EPSS Score
0.001
Published
2020-07-27
A remote user can create a specially crafted M3U file, media playlist file that when loaded by the target user, will trigger a memory leak, whereby Amarok 2.8.0 continue to waste resources over time, eventually allows attackers to cause a denial of service.
CVSS Score
5.5
EPSS Score
0.025
Published
2020-05-20
fishProtocol::establishConnection in fish/fish.cpp in KDE kio-extras through 20.04.0 makes a cacheAuthentication call even if the user had not set the keepPassword option. This may lead to unintended KWallet storage of a password.
CVSS Score
3.3
EPSS Score
0.001
Published
2020-05-09
An issue was discovered in KDE KMail before 19.12.3. By using the proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or other source of mailto links) can make KMail attach local files to a composed email message without showing a warning to the user, as demonstrated by an attach=.bash_history value.
CVSS Score
6.5
EPSS Score
0.003
Published
2020-04-17
KDE Okular before 1.10.0 allows code execution via an action link in a PDF document.
CVSS Score
5.3
EPSS Score
0.026
Published
2020-03-24
messagepartthemes/default/defaultrenderer.cpp in messagelib in KDE Applications before 18.12.0 does not properly restrict the handling of an http-equiv="REFRESH" value.
CVSS Score
5.3
EPSS Score
0.004
Published
2020-03-12