Description
KDE Konqueror for KDE 3.1.2 and earlier does not remove authentication credentials from URLs of the "user:password@host" form in the HTTP-Referer header, which could allow remote web sites to steal the credentials for pages that link to the sites.
Product(s):
- KDE Konqueror 2.1.1
- KDE Konqueror 2.2.2
- KDE Konqueror 3.0.1
- KDE Konqueror 3.0.2
- KDE Konqueror 3.0.3
- KDE Konqueror 3.0.5
- KDE Konqueror 3.0
- KDE Konqueror 3.1.1
- KDE Konqueror 3.1.2
- KDE Konqueror 3.1
- KDE Konqueror Embedded 0.1
- Red Hat Analog Real-Time Synthesizer 2.1.1-5 on i386
- Red Hat Analog Real-Time Synthesizer 2.2-11 on i386
- Red Hat Analog Real-Time Synthesizer 2.2-11 on IA64
- Red Hat KDEBase 3.0.3-13 on i386
- Red Hat KDEBase 3.0.3-13 Dev on i386
- Red Hat KDELibs 2.1.1-5 on i386
- Red Hat Kdelibs 2.2-11 on i386
- Red Hat Kdelibs 2.2-11 on IA64
- Red Hat Kdelibs 3.0.0-10 on i386
- Red Hat Kdelibs 3.1-10 on i386
- Red Hat Kdelibs Devel 2.1.1-5 for i386
- Red Hat Kdelibs Devel 2.2-11 for i386
- Red Hat Kdelibs Devel 2.2-11 for IA64 Development
- Red Hat Kdelibs Devel 3.0.0-10 for I386 Development
- Red Hat Kdelibs Devel 3.0.3-8 for I386 Development
- Red Hat Kdelibs Devel 3.1-10 for I386 Development
- Red Hat Kdelibs Sound 2.1.1-5 for I386 Sound
- Red Hat Kdelibs Sound 2.2-11 for i386
- Red Hat Kdelibs Sound 2.2-11 for IA64
- Red Hat Kdelibs Sound Devel 2.1.1-5 for i386
- Red Hat Kdelibs Sound Devel 2.2-11 for i386
- Red Hat Kdelibs Sound Devel 2.2-11 for IA64
Question to Ask Vendors:
- Can you confirm whether your systems are affected by CVE-2003-0459, and if so, what steps are you currently taking to mitigate this vulnerability?
- What is your estimated timeline for fully resolving CVE-2003-0459 in your products or services, and how will you communicate updates on this issue to us as your customer?
Recommended Actions:
- Check out the advisory links provided below.