An unpatched superior-severity security flaw has been disclosed in the open-source RainLoop web-based email consumer that could be weaponized to siphon e-mails from victims’ inboxes.
“The code vulnerability […] can be effortlessly exploited by an attacker by sending a malicious email to a target that employs RainLoop as a mail client,” SonarSource security researcher Simon Scannell said in a report released this 7 days.
“When the email is considered by the victim, the attacker gains full management over the session of the target and can steal any of their e-mail, together with these that include hugely delicate information this sort of as passwords, files, and password reset links.”
Tracked as CVE-2022-29360, the flaw relates to a stored cross-web site-scripting (XSS) vulnerability impacting the newest version of RainLoop (v1.16.) that was introduced on Could 7, 2021.
Saved XSS flaws, also known as persistent XSS, manifest when a malicious script is injected immediately into a goal web application’s server by indicates of person enter (e.g., comment area) that is forever saved in a database and is later on served to other customers.
SonarSource, in its disclosure timeline, said that it notified the maintainers of RainLoop of the bug on November 30, 2021, and that the application maker has failed to issue a fix for a lot more than four months.
An issue raised on GitHub by the Swiss code good quality and security corporation on December 6, 2021, continues to be open up to day. We have achieved out to RainLoop for remark, and we will update the tale if we hear back.
In the absence of patches, SonarSource is recommending consumers to migrate to a RainLoop fork termed SnappyMail, which is actively maintained and unaffected by the security issue.
Located this article attention-grabbing? Observe THN on Fb, Twitter and LinkedIn to examine extra special written content we submit.
Some pieces of this post are sourced from: