Email security, Security Strategy, Plan, Budget, Application security, Security Architecture, Data Security, Risk Assessments/Management

RainLoop vulnerability puts emails at risk

The Hacker News reports that SonarSource has identified a high-severity vulnerability in the open-source RainLoop web-based email client which could be leveraged for email exfiltration. Attackers could exploit the stored cross-site scripting flaw, tracked as CVE-2022-29360, by delivering malicious emails to individuals using RainLoop, according to SonarSource researcher Simon Scannell. "When the email is viewed by the victim, the attacker gains full control over the session of the victim and can steal any of their emails, including those that contain highly sensitive information such as passwords, documents, and password reset links," Scannell said. The report added that all RainLoop v.1.16.0 installations are affected by the stored XSS bug. While RainLoop maintainers have been informed by SonarSource regarding the flaw last November, RainLoop has yet to issue fixes. RainLoop users have been urged to leverage SnappyMail, a RainLoop fork unaffected by the vulnerability, while waiting for official patches coming from RainLoop.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.