The Hacker News reports that SonarSource has identified a high-severity vulnerability in the open-source RainLoop web-based email client which could be leveraged for email exfiltration.
Attackers could exploit the stored cross-site scripting flaw, tracked as CVE-2022-29360, by delivering malicious emails to individuals using RainLoop, according to SonarSource researcher Simon Scannell.
"When the email is viewed by the victim, the attacker gains full control over the session of the victim and can steal any of their emails, including those that contain highly sensitive information such as passwords, documents, and password reset links," Scannell said.
The report added that all RainLoop v.1.16.0 installations are affected by the stored XSS bug.
While RainLoop maintainers have been informed by SonarSource regarding the flaw last November, RainLoop has yet to issue fixes. RainLoop users have been urged to leverage SnappyMail, a RainLoop fork unaffected by the vulnerability, while waiting for official patches coming from RainLoop.