GNOME Evolution OpenPGP Signature Spoofing Vulnerability
GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofed for arbitrary messages using a specially crafted email that contains a valid signature from the entity to be impersonated as an attachment.
A vulnerability in GNOME Evolution could allow an unauthenticated, remote attacker to conduct spoofing attacks on a targeted system. The vulnerability exists because the affected software does not properly validate OpenPGP signatures sent to an affected system. An attacker could exploit this vulnerability by persuading a user to open a malicious email with valid PGP-signed data as an attachment. A successful exploit could allow the attacker to either inject arbitrary script code, which could be used to trick the user into disclosing sensitive information, or conduct further attacks. Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available. GNOME has confirmed the vulnerability and released software updates.