CVE-2019-9148

Name of the Vulnerable Software and Affected Versions Mailvelope versions prior to 3.3.0

Description The issue allows an attacker to manipulate PGP public keys, making it possible to claim that a message originates from another person. This can be achieved by getting a victim to import a manipulated key that contains users without a valid self-certification. The software does not reject obviously invalid keys during import.

Recommendations For versions prior to 3.3.0, update to version 3.3.0 or later to resolve the issue. As a temporary workaround, consider verifying the validity of PGP public keys before importing them to minimize the risk of exploitation.