Nils Toedtmann

**Name of the Vulnerable Software and Affected Versions** KDE Konqueror versions 3.5.5 through 3.95.00 **Description** The issue allows remote attackers to trick a user into accepting an invalid certificate for a spoofed web site. This occurs when a user accepts an SSL server certificate based on the CN domain name in the DN field, and the certificate is then regarded as accepted for all domain names in subjectAltName:dNSName fields, even though these fields cannot be examined in the product. **Recommendations** For KDE Konqueror versions 3.5.5 through 3.95.00, consider disabling the automatic acceptance of SSL server certificates based on the CN domain name in the DN field until a patch is available. Restrict access to sensitive web sites to minimize the risk of exploitation.