CVE-2019-9149

Name of the Vulnerable Software and Affected Versions Mailvelope versions prior to 3.3.0

Description The issue allows private key operations without user interaction via its client-API. An attacker can modify a URL parameter in Mailvelope to sign and encrypt arbitrary messages, assuming the private key password is cached. Additionally, when the GnuPG backend is used, an attacker can decrypt an arbitrary message.

Recommendations For versions prior to 3.3.0, update to version 3.3.0 or later to resolve the issue. As a temporary workaround, consider clearing the private key password cache to prevent unauthorized access. Restrict access to the client-API to minimize the risk of exploitation. Avoid using the GnuPG backend until the issue is resolved.