Enigmail 1.7.x before 1.7.2 sends emails in plaintext when encryption is enabled and only BCC recipients are specified, which allows remote attackers to obtain sensitive information by sniffing the network.
Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.
| Link | Tags |
|---|---|
| http://lists.opensuse.org/opensuse-updates/2014-09/msg00008.html | vendor advisory |
| http://secunia.com/advisories/60779 | third party advisory |
| http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/ | |
| http://secunia.com/advisories/60887 | third party advisory |
| https://advisories.mageia.org/MGASA-2014-0421.html | |
| https://security.gentoo.org/glsa/201504-01 | vendor advisory |
| http://sourceforge.net/p/enigmail/bugs/294/ | patch |
| http://lists.opensuse.org/opensuse-updates/2014-09/msg00004.html | vendor advisory |
| http://www.openwall.com/lists/oss-security/2014/08/22/1 | mailing list |
| http://www.openwall.com/lists/oss-security/2014/08/18/2 | mailing list exploit |
| http://secunia.com/advisories/61854 | third party advisory |