CVE-2024-50624

ispdbservice.cpp in KDE Kmail before 6.2.0 allows man-in-the-middle attackers to trigger use of an attacker-controlled mail server because cleartext HTTP is used for a URL such as http://autoconfig.example.com or http://example.com/.well-known/autoconfig for retrieving the configuration. This is related to kmail-account-wizard.

Weakness

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Affected Software

Name	Vendor	Start Version	End Version
Kdepim	Ubuntu	esm-apps/xenial	*
Kdepim	Ubuntu	upstream	*
Kmail	Ubuntu	focal	*
Kmail	Ubuntu	oracular	*
Kmail-account-wizard	Ubuntu	esm-apps/bionic	*
Kmail-account-wizard	Ubuntu	esm-apps/focal	*
Kmail-account-wizard	Ubuntu	esm-apps/jammy	*
Kmail-account-wizard	Ubuntu	esm-apps/noble	*
Kmail-account-wizard	Ubuntu	jammy	*
Kmail-account-wizard	Ubuntu	noble	*
Kmail-account-wizard	Ubuntu	upstream	*

Potential Mitigations

https://cwe.mitre.org/data/definitions/102.html
https://cwe.mitre.org/data/definitions/117.html
https://cwe.mitre.org/data/definitions/383.html
https://cwe.mitre.org/data/definitions/477.html
https://cwe.mitre.org/data/definitions/65.html

References

https://bugs.kde.org/show_bug.cgi?id=487882
https://invent.kde.org/pim/kmail-account-wizard/-/commit/9784f5ab41c3aff435d4a88afb25585180a62ee4
https://invent.kde.org/pim/kmail/-/tags
https://kde.org/announcements/megarelease/6/
https://lists.debian.org/debian-lts-announce/2025/05/msg00048.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2024-50624
CWE	https://cwe.mitre.org/data/definitions/319.html

Cleartext Transmission of Sensitive Information

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References