Enigmail 1.9.9 Vulnerability: Signature Spoofing in Multipart/Related Messages

Enigmail 1.9.9 Vulnerability: Signature Spoofing in Multipart/Related Messages

CVE-2017-17848 · MEDIUM Severity

AV:N/AC:L/AU:N/C:N/I:P/A:N

An issue was discovered in Enigmail before 1.9.9. In a variant of CVE-2017-17847, signature spoofing is possible for multipart/related messages because a signed message part can be referenced with a cid: URI but not actually displayed. In other words, the entire containing message appears to be signed, but the recipient does not see any of the signed text.

Learn more about our Web Application Penetration Testing UK.