Security researchers have found a serious stored XSS vulnerability in the RainLoop webmail platform. Unfortunately, the researchers confirmed to have known nothing about any bug fixes until disclosure. It means that users of the vulnerable platform need to remain careful as the threat of malicious exploitation persists.
Stored XSS RainLoop Vulnerability
According to the details shared in a recent post, team SonarSource caught persistent cross-site scripting (XSS) vulnerability affecting the RainLoop Webmail platform.
RainLoop is a simple open-source web-based email client facilitating swift communications in various organizations.
As elaborated, the XSS flaw (CVE-2022-29360) appeared in the platform code due to a logic bug post sanitization process. Exploiting this vulnerability simply required an adversary to send a maliciously crafted email to the target system. Once the victim opens the email, the embedded malicious JavaScript payload executes and the attacker gains control of the victim’s system. In turn, this allows the adversary to steal emails without user interaction.
The following video demonstrates the attack scenario.
Recommended Mitigation
The researchers have confirmed that the vulnerability remained unpatched until public disclosure. Despite repeated attempts to contact the vendors, they received no response regarding a fix.
It means that all RainLoop Webmail users remain exposed to potential exploits. Therefore, the researchers have shared a temporary workaround for the users to mitigate the flaw until an official patch arrives from the vendors.
Specifically, they advise users to switch to SnappyMail – a RainLoop fork unaffected by the stored XSS vulnerability. Whereas for mitigating the patch, the researchers have shared the respective code and the procedure to apply the fix, in their post. Though, they urge users to try this unofficial patch at their own risk.
Besides, to prevent similar bugs, the researchers advise the developers not to modify data after sanitization.
We recommend developers to not modifying any data after it has been sanitized, as any modification could reverse the sanitization step. Additionally, it is recommended to work with a DOM tree object, rather than operating on HTML text, as this leaves much more room for mistakes.
Let us know your thoughts in the comments.