An unpatched high-severity safety flaw has been disclosed within the open-source RainLoop web-based e-mail consumer that may very well be weaponized to siphon emails from victims’ inboxes.
“The code vulnerability […] can be easily exploited by an attacker by sending a malicious email to a victim that uses RainLoop as a mail client,” SonarSource safety researcher Simon Scannell stated in a report revealed this week.
“When the email is viewed by the victim, the attacker gains full control over the session of the victim and can steal any of their emails, including those that contain highly sensitive information such as passwords, documents, and password reset links.”
Tracked as CVE-2022-29360, the flaw pertains to a saved cross-site-scripting (XSS) vulnerability impacting the newest model of RainLoop (v1.16.0) that was launched on May 7, 2021.
Stored XSS flaws, additionally known as persistent XSS, happen when a malicious script is injected straight right into a goal net software’s server by way of consumer enter (e.g., remark area) that is completely saved in a database and is later served to different customers.
SonarSource, in its disclosure timeline, stated that it notified the maintainers of RainLoop of the bug on November 30, 2021, and that the software program maker has didn’t problem a repair for greater than 4 months.
An problem raised on GitHub by the Swiss code high quality and safety firm on December 6, 2021, stays open thus far. We have reached out to RainLoop for remark, and we’ll replace the story if we hear again.
In the absence of patches, SonarSource is recommending customers emigrate to a RainLoop fork known as SnappyMail, which is actively maintained and unaffected by the safety problem.