PT-2018-13130 · Bloop · Bloop Airmail 3

Published

2018-08-21

Updated

2020-05-04

CVE-2018-15669

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Bloop Airmail 3 version 3.5.9

Description An issue was discovered where the primary WebView instance in Bloop Airmail 3 for macOS does not properly restrict frame navigation requests from all sub-classes of HTMLFrameOwnerElements. Specifically, while requests from HTMLIFrameElements are blacklisted, other sub-classes are not forbidden by the policy. This could allow an attacker to abuse HTML plug-in elements within an email to trigger frame navigation requests that bypass the filter.

Recommendations For Bloop Airmail 3 version 3.5.9, consider restricting access to HTML plug-in elements within emails as a temporary workaround until a patch is available.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2018-15669

Affected Products

Bloop Airmail 3

PT-2018-13130 · Bloop · Bloop Airmail 3

CVE-2018-15669

Related Identifiers

Affected Products

References · 3