Ark input sanitization errors: The KDE archiving tool, Ark,
performs insufficient validation which leads to specially crafted
archive files, using unknown MIME types, to be rendered using a KHTML
instance, this can trigger uncontrolled XMLHTTPRequests to remote
sites.
IO Slaves input sanitization errors: KDE protocol handlers perform
insufficient input validation, an attacker can craft malicious URI
that would trigger JavaScript execution. Additionally the 'help://'
protocol handler suffer from directory traversal. It should be noted
that the scope of this issue is limited as the malicious URIs cannot
be embedded in Internet hosted content.
KMail input sanitization errors: The KDE mail client, KMail, performs
insufficient validation which leads to specially crafted email
attachments, using unknown MIME types, to be rendered using a KHTML
instance, this can trigger uncontrolled XMLHTTPRequests to remote
sites.
The exploitation of these vulnerabilities is unlikely according to
Portcullis and KDE but the execution of active content is nonetheless
unexpected and might pose a threat.