Filtered by vendor Mailvelope
Subscriptions
Filtered by product Mailvelope
Subscriptions
Total
4 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2019-9149 | 1 Mailvelope | 1 Mailvelope | 2024-08-04 | 6.5 Medium |
Mailvelope prior to 3.3.0 allows private key operations without user interaction via its client-API. By modifying an URL parameter in Mailvelope, an attacker is able to sign (and encrypt) arbitrary messages with Mailvelope, assuming the private key password is cached. A second vulnerability allows an attacker to decrypt an arbitrary message when the GnuPG backend is used in Mailvelope. | ||||
CVE-2019-9150 | 1 Mailvelope | 1 Mailvelope | 2024-08-04 | N/A |
Mailvelope prior to 3.3.0 does not require user interaction to import public keys shown on web page. This functionality can be tricked to either hide a key import from the user or obscure which key was imported. | ||||
CVE-2019-9147 | 1 Mailvelope | 1 Mailvelope | 2024-08-04 | N/A |
Mailvelope prior to 3.1.0 is vulnerable to a clickjacking attack against the settings page. As the settings page is intended to be accessible from web applications, the browser's extension isolation mechanisms are disabled (web_accessible_resources). Mailvelope implements additional measures to prevent web applications from directly embedding the settings page, but this mechanism can be bypassed. | ||||
CVE-2019-9148 | 1 Mailvelope | 1 Mailvelope | 2024-08-04 | 4.3 Medium |
Mailvelope prior to 3.3.0 accepts or operates with invalid PGP public keys: Mailvelope allows importing keys that contain users without a valid self-certification. Keys that are obviously invalid are not rejected during import. An attacker that is able to get a victim to import a manipulated key could claim to have signed a message that originates from another person. |
Page 1 of 1.