An client information leak vulnerability (CVE-2024-23330) has been identified in Tuta Mail. This vulnerability could leak client information by loading external resources in the mail even if disabled.
Details
- Product: Tuta Mail
- Affected Version: Tuta Mail < 3.119.10
- Vulnerability Type: Server-Side Request Forgery (SSRF) (CWE-918)
- Risk Level: Medium
- Vendor URL: https://tuta.com/
- Vendor acknowledged vulnerability: Yes
- Vendor Status: Fixed
- CVE: CVE-2024-23330
The vulnerability was discovered during testing of Tutanota for iOS. By sending a html email with an embeded svg image, an attacker could receive the information when the email was read, which device is used and the user’s ip address.
References
Timeline
- 2024-01-22: Vendor has reported that the vulnerability has been fixed.
- 2024-11-29: This blog post was published.
Credits
文章来源: https://github.security.telekom.com/2024/11/tuta-mail-svg-image-ip-leak.html
如有侵权请联系:admin#unsafe.sh