The open-source RainLoop web-based email client has an unpatched high-severity security flaw that could be used to steal emails from victims' inboxes.
SonarSource security researcher Simon Scannell said this week that an attacker can easily exploit the code vulnerability by sending a malicious email to a victim who uses RainLoop as their mail client.
An attacker can take control of a user's session and steal all of the victim's emails, including passwords, documents, and password reset links, when the email is viewed by the victim.
According to CVE-2022-29360, an XSS flaw has been found in the latest RainLoop (v1.16.0) release, which was released on May 7, 2021.
This type of XSS flaw occurs when user input (e.g., a comment field) directly injects a malicious script into the target web application's server, which is then stored in a database and served to other users.
RainLoop installations with default configurations may be vulnerable to attack chains that take advantage of this vulnerability by sending specially crafted emails to potential victims, each of which contains a malicious JavaScript payload that, upon viewing, executes in the browser without requiring any user interaction.
When SonarSource reported the bug to RainLoop's developers on November 30, 2021, they stated that they had been unable to issue a fix for over four months.
On December 6, 2021, a Swiss code quality and security company raised an issue on GitHub that has yet to be resolved. As soon as we hear back from RainLoop regarding this story, we will update the article.
No patches have been issued for the security flaw, so SonarSource recommends users switch to SnappyMail, an active RainLoop fork that has not been affected.
Post a Comment
Your suggestions and comments are welcome