Source: kf5-messagelib Version: 4:18.08.1-1 Severity: grave Tags: upstream security
Hi, KDE published the following security advisory (CVE-2018-19516): > messagelib by default displays emails as plain text, but gives the user > an option to "Prefer HTML to plain text" in the settings and if that option > is not enabled there is way to enable HTML display when an email contains > HTML. > > Some HTML emails can trick messagelib into opening a new browser window when > displaying said email as HTML. > > This happens even if the option to allow the HTML emails to access > remote servers is disabled in KMail settings. > > This means that the owners of the servers referred in the email can see > in their access logs your IP address. https://www.kde.org/info/security/advisory-20181128-1.txt Cheers, Felix
