Vulnerabilities > Enigmail > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-08-05 | CVE-2019-14664 | Cleartext Transmission of Sensitive Information vulnerability in multiple products In Enigmail below 2.1, an attacker in possession of PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. | 6.5 |
| 2019-02-11 | CVE-2018-15586 | Improper Verification of Cryptographic Signature vulnerability in Enigmail Enigmail before 2.0.6 is prone to to OpenPGP signatures being spoofed for arbitrary messages using a PGP/INLINE signature wrapped within a specially crafted multipart HTML email. | 4.3 |
| 2018-06-13 | CVE-2018-12019 | Improper Verification of Cryptographic Signature vulnerability in Enigmail The signature verification routine in Enigmail before 2.0.7 interprets user ids as status/control messages and does not correctly keep track of the status of multiple signatures, which allows remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids. | 5.0 |
| 2017-12-27 | CVE-2017-17848 | Improper Verification of Cryptographic Signature vulnerability in multiple products An issue was discovered in Enigmail before 1.9.9. | 5.0 |
| 2017-12-27 | CVE-2017-17844 | Cleartext Transmission of Sensitive Information vulnerability in multiple products An issue was discovered in Enigmail before 1.9.9. | 6.5 |
| 2017-12-27 | CVE-2017-17843 | An issue was discovered in Enigmail before 1.9.9 that allows remote attackers to trigger use of an intended public key for encryption, because incorrect regular expressions are used for extraction of an e-mail address from a comma-separated list, as demonstrated by a modified Full Name field and a homograph attack, aka TBE-01-002. | 5.9 |
| 2014-09-08 | CVE-2014-5369 | Cryptographic Issues vulnerability in Enigmail 1.7/1.7.2 Enigmail 1.7.x before 1.7.2 sends emails in plaintext when encryption is enabled and only BCC recipients are specified, which allows remote attackers to obtain sensitive information by sniffing the network. | 4.3 |
| 2007-03-06 | CVE-2007-1264 | Unspecified vulnerability in Enigmail Enigmail 0.94.2 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Enigmail from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection. | 5.0 |
| 2005-10-18 | CVE-2005-3256 | Unspecified vulnerability in Enigmail The key selection dialogue in Enigmail before 0.92.1 can incorrectly select a key with a user ID that does not have additional information, which allows parties with that key to decrypt the message. | 5.0 |