PT-2023-29850 · Tutanota · Tutanota
Pachinko2821
·
Published
2023-12-15
·
Updated
2023-12-28
·
CVE-2023-46116
CVSS v3.1
9.3
Critical
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Tutanota versions prior to 3.118.12
Description
The issue concerns the handling of URL schemes in emails. Prior to version 3.118.12, Tutanota correctly blocks the
file: URL scheme but fails to check other harmful schemes such as ftp: and smb:, which can be used by malicious actors to gain code execution on a victim's computer. Successful exploitation enables an attacker to gain code execution on a victim's computer.Recommendations
For versions prior to 3.118.12, update to version 3.118.12 or later to resolve the issue. As a temporary workaround, consider disabling the ability to open links in external applications until the update is applied. Restrict access to harmful URL schemes such as
ftp: and smb: to minimize the risk of exploitation.Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tutanota