Mailvelope
CVE-2019-9150
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Mailvelope prior to 3.3.0 does not require user interaction to import public keys shown on web page. This functionality can be tricked to either hide a key import from the user or obscure which key was imported.
AnalysisAI
Mailvelope prior to 3.3.0 does not require user interaction to import public keys shown on web page. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-320. Mailvelope prior to 3.3.0 does not require user interaction to import public keys shown on web page. This functionality can be tricked to either hide a key import from the user or obscure which key was imported. Affected products include: Mailvelope. Version information: prior to 3.3.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Mailvelope
View allMailvelope prior to 3.3.0 allows private key operations without user interaction via its client-API. Rated medium severi
Mailvelope prior to 3.3.0 accepts or operates with invalid PGP public keys: Mailvelope allows importing keys that contai
Mailvelope prior to 3.1.0 is vulnerable to a clickjacking attack against the settings page. Rated medium severity (CVSS
Same weakness CWE-320 – Key Management Errors
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today