PT-2024-34364 · Kde+3 · Kde Kmail+3
Shushangw
·
Published
2024-10-27
·
Updated
2025-09-03
·
CVE-2024-50624
CVSS v3.1
5.9
Medium
| Vector | AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
KDE Kmail versions prior to 6.2.0
Description:
The issue allows man-in-the-middle attackers to trigger the use of an attacker-controlled mail server. This is because cleartext HTTP is used for retrieving configuration from URLs such as 'http://autoconfig.example.com' or 'http://example.com/.well-known/autoconfig'. The problem is related to the kmail-account-wizard component.
Recommendations:
For versions prior to 6.2.0, update to version 6.2.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of cleartext HTTP for autoconfig URLs until a patch is applied.
Fix
Cleartext Transmission of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Debian
Kde Kmail
Linuxmint
Ubuntu