FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

kwebkitpart, kde-runtime -- insufficient input validation

Affected packages
kde-runtime < 4.14.2_2
kwebkitpart < 1.3.2_4

Details

VuXML ID 890b6b22-70fa-11e4-91ae-5453ed2e2b49
Discovery 2014-11-13
Entry 2014-11-20

Albert Aastals Cid reports:

kwebkitpart and the bookmarks:// io slave were not sanitizing input correctly allowing to some javascript being executed on the context of the referenced hostname.

Whilst in most cases, the JavaScript will be executed in an untrusted context, with the bookmarks IO slave, it will be executed in the context of the referenced hostname. It should however be noted that KDE mitigates this risk by attempting to ensure that such URLs cannot be embedded directly into Internet hosted content.

References

CVE Name CVE-2014-8600
URL https://www.kde.org/info/security/advisory-20141113-1.txt