Vulnerabilities (CVE)

Filtered by vendor Mailvelope Subscribe
Filtered by product Mailvelope
Total 4 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-9149 1 Mailvelope 1 Mailvelope 2023-12-10 6.4 MEDIUM 6.5 MEDIUM
Mailvelope prior to 3.3.0 allows private key operations without user interaction via its client-API. By modifying an URL parameter in Mailvelope, an attacker is able to sign (and encrypt) arbitrary messages with Mailvelope, assuming the private key password is cached. A second vulnerability allows an attacker to decrypt an arbitrary message when the GnuPG backend is used in Mailvelope.
CVE-2019-9150 1 Mailvelope 1 Mailvelope 2023-12-10 5.0 MEDIUM 5.3 MEDIUM
Mailvelope prior to 3.3.0 does not require user interaction to import public keys shown on web page. This functionality can be tricked to either hide a key import from the user or obscure which key was imported.
CVE-2019-9148 1 Mailvelope 1 Mailvelope 2023-12-10 4.3 MEDIUM 4.3 MEDIUM
Mailvelope prior to 3.3.0 accepts or operates with invalid PGP public keys: Mailvelope allows importing keys that contain users without a valid self-certification. Keys that are obviously invalid are not rejected during import. An attacker that is able to get a victim to import a manipulated key could claim to have signed a message that originates from another person.
CVE-2019-9147 1 Mailvelope 1 Mailvelope 2023-12-10 4.3 MEDIUM 4.3 MEDIUM
Mailvelope prior to 3.1.0 is vulnerable to a clickjacking attack against the settings page. As the settings page is intended to be accessible from web applications, the browser's extension isolation mechanisms are disabled (web_accessible_resources). Mailvelope implements additional measures to prevent web applications from directly embedding the settings page, but this mechanism can be bypassed.