{"id":"UBUNTU-CVE-2016-7966","details":"Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content.","modified":"2026-01-30T02:03:50.543201Z","published":"2016-10-05T00:00:00Z","related":["USN-3100-1"],"upstream":["CVE-2016-7966"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-7966"},{"type":"REPORT","url":"http://www.openwall.com/lists/oss-security/2016/10/05/1"},{"type":"REPORT","url":"https://www.kde.org/info/security/advisory-20161006-1.txt"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-3100-1"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2016-7966"}],"affected":[{"package":{"name":"kdepimlibs","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/kdepimlibs@4:4.13.3-0ubuntu0.4?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4:4.13.3-0ubuntu0.4"}]}],"versions":["4:4.11.2-0ubuntu1","4:4.11.2-0ubuntu2","4:4.11.80-0ubuntu1","4:4.11.95-0ubuntu1","4:4.11.97-0ubuntu1","4:4.12.0-0ubuntu1","4:4.12.1-0ubuntu1","4:4.12.2-0ubuntu1","4:4.12.2-0ubuntu2","4:4.12.3-0ubuntu1","4:4.12.90-0ubuntu2","4:4.12.95-0ubuntu1","4:4.12.97-0ubuntu1","4:4.13.0-0ubuntu1","4:4.13.1-0ubuntu0.1","4:4.13.2-0ubuntu0.1","4:4.13.3-0ubuntu0.1","4:4.13.3-0ubuntu0.2","4:4.13.3-0ubuntu0.3"],"ecosystem_specific":{"binaries":[{"binary_name":"kdepimlibs-kio-plugins","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"kdepimlibs5-dev","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libakonadi-calendar4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libakonadi-contact4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libakonadi-kabc4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libakonadi-kcal4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libakonadi-kde4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libakonadi-kmime4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libakonadi-notes4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libakonadi-socialutils4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libakonadi-xml4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libgpgme++2","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libkabc4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libkalarmcal2","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libkblog4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libkcal4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libkcalcore4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libkcalutils4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libkholidays4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libkimap4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libkldap4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libkmbox4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libkmime4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libkontactinterface4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libkpimidentities4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libkpimtextedit4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libkpimutils4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libkresources4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libktnef4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libkxmlrpcclient4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libmailtransport4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libmicroblog4","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libqgpgme1","binary_version":"4:4.13.3-0ubuntu0.4"},{"binary_name":"libsyndication4","binary_version":"4:4.13.3-0ubuntu0.4"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2016/UBUNTU-CVE-2016-7966.json"}},{"package":{"name":"kcoreaddons","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/kcoreaddons@5.18.0-0ubuntu1.1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.18.0-0ubuntu1.1"}]}],"versions":["5.15.0-0ubuntu1","5.15.0-0ubuntu2","5.18.0-0ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"libkf5coreaddons-bin-dev","binary_version":"5.18.0-0ubuntu1.1"},{"binary_name":"libkf5coreaddons-data","binary_version":"5.18.0-0ubuntu1.1"},{"binary_name":"libkf5coreaddons-dev","binary_version":"5.18.0-0ubuntu1.1"},{"binary_name":"libkf5coreaddons5","binary_version":"5.18.0-0ubuntu1.1"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2016/UBUNTU-CVE-2016-7966.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"type":"Ubuntu","score":"medium"}]}