CVE-2019-9147
- Source
- https://cve.org/CVERecord?id=CVE-2019-9147
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-9147.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2019-9147
- Published
- 2019-07-09T21:15:11.193Z
- Modified
- 2025-11-14T10:03:14.098092Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Mailvelope prior to 3.1.0 is vulnerable to a clickjacking attack against the settings page. As the settings page is intended to be accessible from web applications, the browser's extension isolation mechanisms are disabled (webaccessibleresources). Mailvelope implements additional measures to prevent web applications from directly embedding the settings page, but this mechanism can be bypassed.
- References
-
- https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.html
- https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.pdf?__blob=publicationFile&v=3
- https://github.com/mailvelope/mailvelope/blob/master/Changelog.md#v310
Affected packages
Git / github.com/mailvelope/mailvelope
Affected ranges
- Type
- GIT
- Repo
- https://github.com/mailvelope/mailvelope
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.10.0
v0.10.0b1
v0.10.2
v0.12.0b1
v0.12.0b2
v0.12.0b3
v0.13.0
v0.13.0b1
v0.13.0b10
v0.13.0b11
v0.13.0b2
v0.13.0b3
v0.13.0b4
v0.13.0b5
v0.13.0b6
v0.13.0b7
v0.13.0b8
v0.13.0b9
v0.13.1
v0.13.2
v0.7.0
v0.7.0b1
v0.7.0b2
v0.7.0b3
v0.8.0
v0.8.0b1
v0.8.1
v0.8.2
v0.9.0
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.1.0
v1.2.0
v1.2.2
v1.2.3
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.6
v1.4.0
v1.5.1
v1.5.2
v1.6.0
v1.6.5
v1.7.1
v1.7.2
v1.8.0
v1.8.1
v2.*
v2.0.0
v2.1.0
v2.1.1
v2.2.0
v2.2.1
v2.2.2
v3.*
v3.0.0
v3.0.1
v3.0.2