Ingo Klöcker

**Name of the Vulnerable Software and Affected Versions** KDE Messagelib versions prior to 5.17.0 **Description** The issue is related to the incorrect handling of attachment deletion in decrypted encrypted messages stored on remote servers, such as IMAP servers. When a user deletes an attachment from a decrypted encrypted message, the decrypted content of the message is uploaded to the remote server. This could allow an attacker, with access to the messages on the email server, to read the decrypted content of the encrypted message. The problem is specifically found in the `ViewerPrivate::deleteAttachment` function in `messageviewer/src/viewer/viewer p.cpp`. **Recommendations** For KDE Messagelib versions prior to 5.17.0, as a temporary workaround, consider disabling the `deleteAttachment` function in `ViewerPrivate` until a patch is available. Restrict access to the `messageviewer/src/viewer/viewer p.cpp` component to minimize the risk of exploitation. Avoid deleting attachments from decrypted encrypted messages stored on remote servers until the issue is resolved.