An unpatched superior-severity security flaw has been disclosed in the open-source RainLoop web-based email consumer that could be weaponized to siphon e-mails from victims’ inboxes.
“The code vulnerability […] can be effortlessly exploited by an attacker by sending a malicious email to a target that employs RainLoop as a mail client,” SonarSource security researcher Simon Scannell said in a report released this 7 days.
“When the email is considered by the victim, the attacker gains full management over the session of the target and can steal any of their e-mail, together with these that include hugely delicate information this sort of as passwords, files, and password reset links.”
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
Tracked as CVE-2022-29360, the flaw relates to a stored cross-web site-scripting (XSS) vulnerability impacting the newest version of RainLoop (v1.16.) that was introduced on Could 7, 2021.
Saved XSS flaws, also known as persistent XSS, manifest when a malicious script is injected immediately into a goal web application’s server by indicates of person enter (e.g., comment area) that is forever saved in a database and is later on served to other customers.
Impacting all RainLoop installations functioning underneath default configurations, attack chains leveraging the flaw could consider the variety of a specially crafted email despatched to opportunity victims that, when viewed, executes a malicious JavaScript payload in the browser with out necessitating any person interaction.
SonarSource, in its disclosure timeline, said that it notified the maintainers of RainLoop of the bug on November 30, 2021, and that the application maker has failed to issue a fix for a lot more than four months.
An issue raised on GitHub by the Swiss code good quality and security corporation on December 6, 2021, continues to be open up to day. We have achieved out to RainLoop for remark, and we will update the tale if we hear back.
In the absence of patches, SonarSource is recommending consumers to migrate to a RainLoop fork termed SnappyMail, which is actively maintained and unaffected by the security issue.
Located this article attention-grabbing? Observe THN on Fb, Twitter and LinkedIn to examine extra special written content we submit.
Some pieces of this post are sourced from:
thehackernews.com