Tuta Mail Vulnerability - Client Information Leak
2024-11-29 08:0:0 Author: github.security.telekom.com(查看原文) 阅读量:1 收藏

An client information leak vulnerability (CVE-2024-23330) has been identified in Tuta Mail. This vulnerability could leak client information by loading external resources in the mail even if disabled.

Details

  • Product: Tuta Mail
  • Affected Version: Tuta Mail < 3.119.10
  • Vulnerability Type: Server-Side Request Forgery (SSRF) (CWE-918)
  • Risk Level: Medium
  • Vendor URL: https://tuta.com/
  • Vendor acknowledged vulnerability: Yes
  • Vendor Status: Fixed
  • CVE: CVE-2024-23330

The vulnerability was discovered during testing of Tutanota for iOS. By sending a html email with an embeded svg image, an attacker could receive the information when the email was read, which device is used and the user’s ip address.

References

Timeline

  • 2024-01-22: Vendor has reported that the vulnerability has been fixed.
  • 2024-11-29: This blog post was published.

Credits


文章来源: https://github.security.telekom.com/2024/11/tuta-mail-svg-image-ip-leak.html
如有侵权请联系:admin#unsafe.sh