Disclosure of vulnerabilities
Posted: Wed Dec 18, 2024 7:58 am
vulnerable version of Tutanota was released on April 3rd. One of our users notified us of the issue three days later and we fixed it immediately. Now, all affected versions of Tutanota have been disabled and we would like to inform you about the issue for full transparency.
All Tutanota apps (web, desktop, Android, iOS) version 3.112.5 were small business email list vulnerable to HTML attribute injection which we explain in more detail below.
The vulnerability has been fixed and vulnerable versions of the applications have been disabled and can no longer be used.
Vulnerability details
Version 3.112.5 of the application introduced the display of the email subject in the application header. This was done by setting a title for a component that displayed that section of the application. The same title is used as the accessibility ARIA title for that view via the <head> attribute aria-label. The code used mithril's hyperscript capabilities to add ARIA attributes via a single selector string. The selector string was unsafely manipulated, allowing the selector and therefore the HTML attributes to be manipulated through the use of a specifically crafted email subject.
The vulnerability was addressed by using an attributes object instead of hard-coding the attributes in a mithril selector.
All Tutanota apps (web, desktop, Android, iOS) version 3.112.5 were small business email list vulnerable to HTML attribute injection which we explain in more detail below.
The vulnerability has been fixed and vulnerable versions of the applications have been disabled and can no longer be used.
Vulnerability details
Version 3.112.5 of the application introduced the display of the email subject in the application header. This was done by setting a title for a component that displayed that section of the application. The same title is used as the accessibility ARIA title for that view via the <head> attribute aria-label. The code used mithril's hyperscript capabilities to add ARIA attributes via a single selector string. The selector string was unsafely manipulated, allowing the selector and therefore the HTML attributes to be manipulated through the use of a specifically crafted email subject.
The vulnerability was addressed by using an attributes object instead of hard-coding the attributes in a mithril selector.