CVE-2017-17848
7.5
HIGH
CVSS 3.1
EPSS 0.87%
Description
An issue was discovered in Enigmail before 1.9.9. In a variant of CVE-2017-17847, signature spoofing is possible for multipart/related messages because a signed message part can be referenced with a cid: URI but not actually displayed. In other words, the entire containing message appears to be signed, but the recipient does not see any of the signed text.
How to fix CVE-2017-17848
To remediate CVE-2017-17848, upgrade the affected package to a fixed version below.
- —upgrade to 2:1.9.9-1 or later
Is CVE-2017-17848 being exploited?
Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2:1.9.9-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |