KDE fails in multiple places to properly quote URLs and file names before passing them to a command shell. This could allow remote attackers to execute arbitrary commands via carefully crafted URLs, filenames, or email addresses.

Red Hat Linux 9 provides KDE version 3.1 and is not vulnerable to the first issue (CAN-2002-1393). Red Hat Linux 7.3 and 8.0 currently provide KDE version 3.0.3 and are vulnerable to both of these issues. Red Hat Linux 7.2 shipped with KDE 2.2.2, and Red Hat Linux 7.1 shipped with KDE 2.1.1. The versions are vulnerable to both of the issues.