4.3
CVSSv2

CVE-2018-15586

Published: 11/02/2019 Updated: 16/05/2019
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Summary

Enigmail prior to 2.0.6 is prone to to OpenPGP signatures being spoofed for arbitrary messages using a PGP/INLINE signature wrapped within a specially crafted multipart HTML email.

Vulnerability Trend

Affected Products

Vendor Product Versions
EnigmailEnigmail0.74.0, 0.74.1, 0.75.0, 0.76.0, 0.76.1, 0.76.2, 0.76.3, 0.76.4, 0.76.7, 0.76.8, 0.80.0, 0.81.2, 0.81.5, 0.81.6, 0.81.7, 0.82.0, 0.82.1, 0.82.2, 0.82.3, 0.82.4, 0.82.5, 0.82.6, 0.83.0, 0.83.1, 0.83.2, 0.83.3, 0.83.4, 0.83.5, 0.83.6, 0.84.0, 0.84.1, 0.84.2, 0.85.0, 0.86.0, 0.86.1, 0.89.0, 0.89.1, 0.89.2, 0.89.3, 0.89.4, 0.89.5, 0.89.6, 0.90.0, 0.90.1, 0.90.2, 0.91.0, 0.92.0, 0.92.1, 0.93.0, 0.93.1, 0.93.2, 0.94.0, 0.94.1, 0.94.2, 0.94.3, 0.94.4, 0.95.0, 0.95.1, 0.95.2, 0.95.3, 0.95.4, 0.95.5, 0.95.6, 0.95.7, 0.96.0, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.7, 1.7.0, 1.7.2, 1.8.0, 1.8.1, 1.8.2, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.6.1, 1.9.7, 1.9.8, 1.9.9, 2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5

Mailing Lists

In the scope of academic research at Ruhr-University Bochum and Münster University of Applied Sciences, Germany, various vulnerabilities regarding the signature verification logic in OpenPGP and S/MIME capable email clients have been discovered While neither OpenPGP nor S/MIME are directly affected, email client implementations show a poor perfo ...
We demonstrate how an attacker can spoof email signatures in 70% of the tested clients, including Thunderbird, Outlook with GpgOL, KMail, Evolution, Trojitá, Apple Mail with GPGTools, Airmail, K-9 Mail, Roundcube and Mailpile Title: "Johnny, you are fired! – Spoofing OpenPGP and S/MIME Signatures in Emails" To appear at USENIX Security '19 J ...