All Tutanota apps (web, desktop, Android, iOS) version 3.112.5 were small business email list vulnerable to HTML attribute injection which we explain in more detail below.
The vulnerability has been fixed and vulnerable versions of the applications have been disabled and can no longer be used.
Vulnerability details
Version 3.112.5 of the application introduced the display of the email subject in the application header. This was done by setting a title for a component that displayed that section of the application. The same title is used as the accessibility ARIA title for that view via the <head> attribute aria-label. The code used mithril's hyperscript capabilities to add ARIA attributes via a single selector string. The selector string was unsafely manipulated, allowing the selector and therefore the HTML attributes to be manipulated through the use of a specifically crafted email subject.
The vulnerability was addressed by using an attributes object instead of hard-coding the attributes in a mithril selector.
