In KDE Trojita 0.7, man-in-the-middle attackers can create new folders because untagged responses from an IMAP server are accepted before STARTTLS.Referenceshttps://nostarttls.secvuln.infohttps://bugs.kde.org/show_bug.cgi?id=432353
