kpac/script.cpp in KDE kio prior to 5.32 and kdelibs prior to 4.14.30 calls the PAC FindProxyForURL function with a full https URL (potentially including Basic Authentication credentials, a query string, or PATH_INFO), which allows remote malicious users to obtain sensitive information via a crafted PAC file.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
kde kdelibs |
||
kde kio |