PT-2018-13128 · Bloop · Bloop Airmail 3

Published

2018-08-21

Updated

2020-08-24

CVE-2018-15667

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Bloop Airmail 3 version 3.5.9

Description An issue in Bloop Airmail 3 allows external applications to send arbitrary emails from an active account without authentication, using the airmail:// URL scheme. The send command in this scheme can be invoked by any method, such as a hyperlink in an email, and processes the command without prompting the user, leading to automatic transmission of attacker-crafted emails.

Recommendations For Bloop Airmail 3 version 3.5.9, consider disabling the airmail:// URL scheme handler until a patch is available to prevent unauthorized email sending. Restrict access to the send command in the URL scheme to minimize the risk of exploitation.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2018-15667

Affected Products

Bloop Airmail 3

PT-2018-13128 · Bloop · Bloop Airmail 3

CVE-2018-15667

Weakness Enumeration

Related Identifiers

Affected Products

References · 3