This is a security issue certainly, but it is a particular type of issue that arises from attempting to analyze the security of a large and complex system built from parts whose interactions as so complicated that they are never likely to be sufficiently understood.
Basically the attack is to create a new multipart MIME message and sandwich the ciphertexts we wish to break between chunks of HTML with a URL reference to a web server we control.
This sort of attack could be devastating in certain situations.
The other attack they describe, the CBC gadget attack is one that I have already been using a control against. I use a key derivation function to calculate IVs rather than passing them in-band. I started doing this because it cleans up the message flows a lot but it also turns out to have security advantages.
