CVE-2017-17848

Name of the Vulnerable Software and Affected Versions Enigmail versions prior to 1.9.9

Description An issue in Enigmail allows signature spoofing for multipart/related messages. This occurs because a signed message part can be referenced with a cid: URI but not actually displayed, making the entire containing message appear signed when it is not. The recipient does not see any of the signed text, potentially leading to misleading information about the message's authenticity.

Recommendations For versions prior to 1.9.9, update to version 1.9.9 or later to resolve the issue. As a temporary workaround, consider verifying the authenticity of messages through alternative means until the update can be applied.