The open-source RainLoop web-based email client contains an unpatched high-severity security issue that might be weaponized to steal emails from the inboxes of victims.
“The code vulnerability […] can be easily exploited by an attacker by sending a malicious email to a victim that uses RainLoop as a mail client,” SonarSource security researcher Simon Scannell said in a report published recently.
“When the email is viewed by the victim, the attacker gains full control over the session of the victim and can steal any of their emails, including those that contain highly sensitive information such as passwords, documents, and password reset links.”
The flaw, which has been assigned the number CVE-2022-29360, is a stored cross-site scripting (XSS) vulnerability that affects the current version of RainLoop (v1.16.0). Stored XSS issues, also known as persistent XSS flaws, arise when a malicious script is injected directly into a target web application’s server via user input (e.g., comment box), which is then permanently saved in the database and presented to other users.
Attack chains using the weakness might take the shape of a specially prepared email sent to potential victims that, when opened, runs a malicious JavaScript payload in the browser without needing any user involvement, affecting all RainLoop installations running under default configurations. SonarSource’s disclosure chronology alerted RainLoop’s maintainers of the defect on November 30, 2021, and the software developer has been unable to deliver a remedy for more than four months.
The Swiss code quality and security business registered an issue on GitHub on December 6, 2021, which is still open to this day. In the absence of updates, SonarSource advises users to transfer to SnappyMail, a RainLoop branch that is actively maintained and unaffected by the security flaw.
