Vulmon Recent Vulnerabilities Discussions Trends Blog About Contact
4.3
CVSSv2

CVE-2018-15586

Published: 11/02/2019 Updated: 16/05/2019
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Summary

Enigmail prior to 2.0.6 is prone to to OpenPGP signatures being spoofed for arbitrary messages using a PGP/INLINE signature wrapped within a specially crafted multipart HTML email.

Vulnerability Trend

Affected Products

Vendor Product Versions
EnigmailEnigmail0.74.0, 0.74.1, 0.75.0, 0.76.0, 0.76.1, 0.76.2, 0.76.3, 0.76.4, 0.76.7, 0.76.8, 0.80.0, 0.81.2, 0.81.5, 0.81.6, 0.81.7, 0.82.0, 0.82.1, 0.82.2, 0.82.3, 0.82.4, 0.82.5, 0.82.6, 0.83.0, 0.83.1, 0.83.2, 0.83.3, 0.83.4, 0.83.5, 0.83.6, 0.84.0, 0.84.1, 0.84.2, 0.85.0, 0.86.0, 0.86.1, 0.89.0, 0.89.1, 0.89.2, 0.89.3, 0.89.4, 0.89.5, 0.89.6, 0.90.0, 0.90.1, 0.90.2, 0.91.0, 0.92.0, 0.92.1, 0.93.0, 0.93.1, 0.93.2, 0.94.0, 0.94.1, 0.94.2, 0.94.3, 0.94.4, 0.95.0, 0.95.1, 0.95.2, 0.95.3, 0.95.4, 0.95.5, 0.95.6, 0.95.7, 0.96.0, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.7, 1.7.0, 1.7.2, 1.8.0, 1.8.1, 1.8.2, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.6.1, 1.9.7, 1.9.8, 1.9.9, 2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5

Mailing Lists

Full Disclosure: OpenPGP and S/MIME signature forgery attacks in multiple email clients
In the scope of academic research at Ruhr-University Bochum and Münster University of Applied Sciences, Germany, various vulnerabilities regarding the signature verification logic in OpenPGP and S/MIME capable email clients have been discovered While neither OpenPGP nor S/MIME are directly affected, email client implementations show a poor perfo ...
Full Disclosure: Spoofing OpenPGP and S/MIME Signatures in Emails (multiple clients)
We demonstrate how an attacker can spoof email signatures in 70% of the tested clients, including Thunderbird, Outlook with GpgOL, KMail, Evolution, Trojitá, Apple Mail with GPGTools, Airmail, K-9 Mail, Roundcube and Mailpile Title: "Johnny, you are fired! – Spoofing OpenPGP and S/MIME Signatures in Emails" To appear at USENIX Security '19 J ...

References

CWE-347http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.htmlhttp://seclists.org/fulldisclosure/2019/Apr/38http://www.openwall.com/lists/oss-security/2019/04/30/4https://github.com/RUB-NDS/Johnny-You-Are-Firedhttps://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdfhttps://sourceforge.net/p/enigmail/bugs/849/https://nvd.nist.govhttp://seclists.org/fulldisclosure/2019/Apr/38
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2019-7238CVE-2019-2136hardcodedCVE-2019-8095XPath injectionCVE-2019-8028template injectionCVE-2019-1181CVE-2019-8046