CVE-2019-9149

Mailvelope prior to 3.3.0 allows private key operations without user interaction via its client-API. By modifying an URL parameter in Mailvelope, an attacker is able to sign (and encrypt) arbitrary messages with Mailvelope, assuming the private key password is cached. A second vulnerability allows an attacker to decrypt an arbitrary message when the GnuPG backend is used in Mailvelope.
Configurations

Configuration 1

cpe:2.3:a:mailvelope:mailvelope:*:*:*:*:*:*:*:*

Information

Published : 2019-07-09 09:15

Updated : 2022-04-18 04:56


NVD link : CVE-2019-9149

Mitre link : CVE-2019-9149

Products Affected
No products.
CWE
CWE-347

Improper Verification of Cryptographic Signature

CWE-863