Main Vulnerability Database SB2018120803

SB2018120803 - OpenSUSE Linux update for messagelib

Published: December 8, 2018 Updated: December 18, 2018

Security Bulletin ID SB2018120803

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2018-19516)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to messagelib by default displays emails as plain text, but gives the user an option to "Prefer HTML to plain text" in the settings and if that option is not enabled there is way to enable HTML display when an email contains HTML. A remote attacker can supply specially crafted HTML emails, trick messagelib into opening a new browser window when displaying said email as HTML and access IP address.

Remediation

Install update from vendor's website.

References

https://lists.opensuse.org/opensuse-security-announce/2018-12/msg00007.html