CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

KDE : Security Vulnerabilities (CVSS score between 4 and 4.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-8600 79 XSS 2014-12-08 2014-12-08
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in KDE-Runtime 4.14.3 and earlier, kwebkitpart 1.3.4 and earlier, and kio-extras 5.1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via a crafted URI using the (1) zip, (2) trash, (3) tar, (4) thumbnail, (5) smtps, (6) smtp, (7) smb, (8) remote, (9) recentdocuments, (10) nntps, (11) nntp, (12) network, (13) mbox, (14) ldaps, (15) ldap, (16) fonts, (17) file, (18) desktop, (19) cgi, (20) bookmarks, or (21) ar scheme, which is not properly handled in an error message.
2 CVE-2014-3494 200 +Info 2014-07-01 2014-07-02
4.3
None Remote Medium Not required Partial None None
kio/usernotificationhandler.cpp in the POP3 kioslave in kdelibs 4.10.95 before 4.13.3 does not properly generate warning notifications, which allows man-in-the-middle attackers to obtain sensitive information via an invalid certificate.
3 CVE-2012-3413 16 2012-08-07 2012-08-08
4.3
None Remote Medium Not required None Partial None
The HTMLQuoteColorer::process function in messageviewer/htmlquotecolorer.cpp in KDE PIM 4.6 through 4.8 does not disable JavaScript, Java, and Plugins, which allows remote attackers to inject arbitrary web script or HTML via a crafted email.
4 CVE-2011-3365 20 2011-11-29 2012-01-18
4.3
None Remote Medium Not required None Partial None
The KDE SSL Wrapper (KSSL) API in KDE SC 4.6.0 through 4.7.1, and possibly earlier versions, does not use a certain font when rendering certificate fields in a security dialog, which allows remote attackers to spoof the common name (CN) of a certificate via rich text.
5 CVE-2011-1168 79 XSS 2011-04-18 2014-02-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the KHTMLPart::htmlError function in khtml/khtml_part.cpp in Konqueror in KDE SC 4.4.0 through 4.6.1 allows remote attackers to inject arbitrary web script or HTML via the URI in a URL corresponding to an unavailable web site.
6 CVE-2009-2537 399 1 DoS 2009-07-20 2009-12-19
4.3
None Remote Medium Not required None None Partial
KDE Konqueror allows remote attackers to cause a denial of service (memory consumption) via a large integer value for the length property of a Select object, a related issue to CVE-2009-1692.
7 CVE-2008-5698 399 1 DoS 2008-12-22 2009-05-09
4.3
None Remote Medium Not required None None Partial
HTMLTokenizer::scriptHandler in Konqueror in KDE 3.5.9 and 3.5.10 allows remote attackers to cause a denial of service (application crash) via an invalid document.load call that triggers use of a deleted object. NOTE: some of these details are obtained from third party information.
8 CVE-2008-1671 16 DoS Exec Code 2008-04-28 2009-02-21
4.6
User Local Low Not required Partial Partial Partial
start_kdeinit in KDE 3.5.5 through 3.5.9, when installed setuid root, allows local users to cause a denial of service and possibly execute arbitrary code via "user-influenceable input" (probably command-line arguments) that cause start_kdeinit to send SIGUSR1 signals to other processes.
9 CVE-2007-6591 2007-12-28 2008-09-05
4.3
None Remote Medium Not required Partial None None
KDE Konqueror 3.5.5 and 3.95.00, when a user accepts an SSL server certificate on the basis of the CN domain name in the DN field, regards the certificate as also accepted for all domain names in subjectAltName:dNSName fields, even though these fields cannot be examined in the product, which makes it easier for remote attackers to trick a user into accepting an invalid certificate for a spoofed web site.
10 CVE-2007-5963 DoS 2007-12-19 2009-01-31
4.7
None Local Medium Not required None None Complete
Unspecified vulnerability in kdebase allows local users to cause a denial of service (KDM login inaccessible, or resource consumption) via unknown vectors.
11 CVE-2007-4229 DoS 2007-08-08 2008-11-15
4.3
None Remote Medium Not required None None Partial
Unspecified vulnerability in KDE Konqueror 3.5.7 and earlier allows remote attackers to cause a denial of service (failed assertion and application crash) via certain malformed HTML, as demonstrated by a document containing TEXTAREA, BUTTON, BR, BDO, PRE, FRAMESET, and A tags. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
12 CVE-2007-4224 59 2007-08-08 2010-08-21
4.3
None Remote Medium Not required None Partial None
KDE Konqueror 3.5.7 allows remote attackers to spoof the URL address bar by calling setInterval with a small interval and changing the window.location property.
13 CVE-2007-1308 399 DoS 2007-03-06 2010-11-30
4.3
None Remote Medium Not required None None Partial
ecma/kjs_html.cpp in KDE JavaScript (KJS), as used in Konqueror in KDE 3.5.5, allows remote attackers to cause a denial of service (crash) by accessing the content of an iframe with an ftp:// URI in the src attribute, probably due to a NULL pointer dereference.
14 CVE-2006-6811 DoS Overflow 2006-12-29 2008-11-15
4.3
None Remote Medium Not required None None Partial
KsIRC 1.3.12 allows remote attackers to cause a denial of service (crash) via a long PRIVMSG string when connecting to an Internet Relay Chat (IRC) server, which causes an assertion failure and results in a NULL pointer dereference. NOTE: this issue was originally reported as a buffer overflow.
15 CVE-2006-6660 DoS 2006-12-20 2008-09-05
4.3
None Remote Medium Not required None None Partial
The nodeType function in KDE libkhtml 4.2.0 and earlier, as used by Konquerer, KMail, and other programs, allows remote attackers to cause a denial of service (crash) via malformed HTML tags, possibly involving a COL SPAN tag embedded in a RANGE tag.
16 CVE-2006-2933 2006-07-27 2010-08-21
4.6
User Local Low Not required Partial Partial Partial
kdesktop_lock in kdebase before 3.1.3-5.11 for KDE in Red Hat Enterprise Linux (RHEL) 3 does not properly terminate, which can prevent the screensaver from activating or prevent users from manually locking the desktop.
17 CVE-2006-2449 2006-06-15 2010-08-21
4.0
None Local High Not required Complete None None
KDE Display Manager (KDM) in KDE 3.2.0 up to 3.5.3 allows local users to read arbitrary files via a symlink attack related to the session type for login.
18 CVE-2005-0205 +Priv 2005-05-02 2010-08-21
4.6
User Local Low Not required Partial Partial Partial
KPPP 2.1.2 in KDE 3.1.5 and earlier, when setuid root without certain wrappers, does not properly close a privileged file descriptor for a domain socket, which allows local users to read and write to /etc/hosts and /etc/resolv.conf and gain control over DNS name resolution by opening a number of file descriptors before executing kppp.
19 CVE-2005-0078 2005-05-02 2010-08-21
4.6
User Local Low Not required Partial Partial Partial
The KDE screen saver in KDE before 3.0.5 does not properly check the return value from a certain function call, which allows attackers with physical access to cause a crash and access the desktop session.
20 CVE-2004-0690 2004-09-28 2008-09-10
4.6
User Local Low Not required Partial Partial Partial
The DCOPServer in KDE 3.2.3 and earlier allows local users to gain unauthorized access via a symlink attack on DCOP files in the /tmp directory.
21 CVE-2004-0689 2004-09-28 2010-08-21
4.6
User Local Low Not required Partial Partial Partial
KDE before 3.3.0 does not properly handle when certain symbolic links point to "stale" locations, which could allow local users to create or truncate arbitrary files.
22 CVE-2003-1478 119 DoS Overflow 2003-12-31 2008-09-05
4.3
None Remote Medium Not required None None Partial
Konqueror in KDE 3.0.3 allows remote attackers to cause a denial of service (core dump) via a web page that begins with a "xFFxFE" byte sequence and a large number of CRLF sequences, as demonstrated using freeze.htm.
23 CVE-2001-1197 2001-12-14 2008-09-05
4.6
User Local Low Not required Partial Partial Partial
klprfax_filter in KDE2 KDEUtils allows local users to overwrite arbitrary files via a symlink attack on the klprfax.filter temporary file.
24 CVE-2001-0610 +Priv 2001-08-02 2008-09-10
4.6
None Local Low Not required Partial Partial Partial
kfm as included with KDE 1.x can allow a local attacker to gain additional privileges via a symlink attack in the kfm cache directory in /tmp.
25 CVE-1999-1270 +Info 1998-07-11 2008-09-05
4.6
None Local Low Not required Partial Partial Partial
KMail in KDE 1.0 provides a PGP passphrase as a command line argument to other programs, which could allow local users to obtain the passphrase and compromise the PGP keys of other users by viewing the arguments via programs that list process information, such as ps.
26 CVE-1999-0780 1998-11-18 2008-09-09
4.6
User Local Low Not required Partial Partial Partial
KDE klock allows local users to kill arbitrary processes by specifying an arbitrary PID in the .kss.pid file.
27 CVE-1999-0735 +Priv 2000-01-04 2008-09-09
4.6
None Local Low Not required Partial Partial Partial
KDE K-Mail allows local users to gain privileges via a symlink attack in temporary user directories.
Total number of vulnerabilities : 27   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.