FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

rainloop -- cross-site-scripting (XSS) vulnerability

Affected packages
rainloop-community-php74 < 1.16.0_2
rainloop-community-php80 < 1.16.0_2
rainloop-community-php81 < 1.16.0_2
rainloop-php74 < 1.16.0_2
rainloop-php80 < 1.16.0_2
rainloop-php81 < 1.16.0_2

Details

VuXML ID a8118db0-cac2-11ec-9288-0800270512f4
Discovery 2022-04-19
Entry 2022-05-03

Simon Scannell reports:

The code vulnerability can be easily exploited by an attacker by sending a malicious email to a victim that uses RainLoop as a mail client. When the email is viewed by the victim, the attacker gains full control over the session of the victim and can steal any of their emails, including those that contain highly sensitive information such as passwords, documents, and password reset links.

[source]

References

CVE Name CVE-2022-29360
URL https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw
URL https://github.com/RainLoop/rainloop-webmail/issues/2142

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.