The KHTML component shipped with the KDE libraries is prone to a cross-site scripting (XSS) vulnerability.
Package | kde-base/kdelibs on all architectures |
---|---|
Affected versions | < 3.5.5-r8 |
Unaffected versions | >= 3.5.5-r8 |
KDE is a feature-rich graphical desktop environment for Linux and Unix-like Operating Systems. KHTML is the HTML interpreter used in Konqueror and other parts of KDE.
The KHTML code allows for the execution of JavaScript code located inside the "Title" HTML element, a related issue to the Safari error found by Jose Avila.
When viewing a HTML page that renders unsanitized attacker-supplied input in the page title, Konqueror and other parts of KDE will execute arbitrary JavaScript code contained in the page title, allowing for the theft of browser session data or cookies.
There is no known workaround at this time.
All KDElibs users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=kde-base/kdelibs-3.5.5-r8"
Release date
March 10, 2007
Latest revision
March 10, 2007: 01
Severity
low
Exploitable
remote
Bugzilla entries