U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • CPE Product Version: cpe:/a:gnome:evolution:1.4.4
There are 11 matching records.
Displaying matches 1 through 11.
Vuln ID Summary CVSS Severity
CVE-2021-3349

GNOME Evolution through 3.38.3 produces a "Valid signature" message for an unknown identifier on a previously trusted key because Evolution does not retrieve enough information from the GnuPG API. NOTE: third parties dispute the significance of this issue, and dispute whether Evolution is the best place to change this behavior

Published: February 01, 2021; 12:15:11 AM -0500
V3.1: 3.3 LOW
V2.0: 2.1 LOW
CVE-2020-11879

An issue was discovered in GNOME Evolution before 3.35.91. By using the proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or other source of mailto links) can make Evolution attach local files or directories to a composed email message without showing a warning to the user, as demonstrated by an attach=. value.

Published: April 17, 2020; 2:15:11 PM -0400
V3.1: 6.5 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2013-4166

The gpg_ctx_add_recipient function in camel/camel-gpg-context.c in GNOME Evolution 3.8.4 and earlier and Evolution Data Server 3.9.5 and earlier does not properly select the GPG key to use for email encryption, which might cause the email to be encrypted with the wrong key and allow remote attackers to obtain sensitive information.

Published: February 06, 2020; 10:15:10 AM -0500
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2018-15587

GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofed for arbitrary messages using a specially crafted email that contains a valid signature from the entity to be impersonated as an attachment.

Published: February 11, 2019; 12:29:00 PM -0500
V3.0: 6.5 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2016-10727

camel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolution-data-server before 3.21.2 proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. The server code was intended to report an error and not proceed, but the code was written incorrectly.

Published: July 20, 2018; 12:29:00 AM -0400
V3.0: 9.8 CRITICAL
V2.0: 5.0 MEDIUM
CVE-2018-12422

addressbook/backends/ldap/e-book-backend-ldap.c in Evolution-Data-Server in GNOME Evolution through 3.29.2 might allow attackers to trigger a Buffer Overflow via a long query that is processed by the strcat function. NOTE: the software maintainer disputes this because "the code had computed the required string length first, and then allocated a large-enough buffer on the heap.

Published: June 15, 2018; 12:29:00 PM -0400
V3.0: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2011-3201

GNOME Evolution before 3.2.3 allows user-assisted remote attackers to read arbitrary files via the attachment parameter to a mailto: URL, which attaches the file to the email.

Published: March 08, 2013; 4:55:01 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2009-1631

The Mailer component in Evolution 2.26.1 and earlier uses world-readable permissions for the .evolution directory, and certain directories and files under .evolution/ related to local mail, which allows local users to obtain sensitive information by reading these files.

Published: May 14, 2009; 1:30:00 PM -0400
V3.x:(not available)
V2.0: 2.1 LOW
CVE-2008-0072

Format string vulnerability in the emf_multipart_encrypted function in mail/em-format.c in Evolution 2.12.3 and earlier allows remote attackers to execute arbitrary code via a crafted encrypted message, as demonstrated using the Version field.

Published: March 05, 2008; 7:44:00 PM -0500
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2007-1266

Evolution 2.8.1 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Evolution from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.

Published: March 06, 2007; 3:19:00 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2005-0102

Integer overflow in camel-lock-helper in Evolution 2.0.2 and earlier allows local users or remote malicious POP3 servers to execute arbitrary code via a length value of -1, which leads to a zero byte memory allocation and a buffer overflow.

Published: January 24, 2005; 12:00:00 AM -0500
V3.1: 9.8 CRITICAL
V2.0: 7.2 HIGH