The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| kde | kmail | - |
| 9folders | nine | - |
| freron | mailmate | - |
| mozilla | thunderbird | - |
| kde | trojita | - |
| apple | - | |
| r2mail2 | r2mail2 | - |
| ritlabs | the_bat | - |
| microsoft | outlook | 2007 |
| flipdogsolutions | maildroid | - |
| ibm | notes | - |
| bloop | airmail | - |
| microsoft | outlook | 2016 |
| horde | horde_imp | - |
| gnome | evolution | - |
| microsoft | outlook | 2013 |
| postbox-inc | postbox | - |
| gmail | - | |
| emclient | emclient | - |
| microsoft | outlook | 2010 |
The Nine application through 4.5.3a for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| 9folders | nine | * |