CVE-2024-23330

Name of the Vulnerable Software and Affected Versions Tuta versions prior to 119.10

Description The issue concerns the loading of external content in emails. In the default setting, external resources should not be loaded without user confirmation. However, certain embedded images can be loaded even when the "Automatic Reloading of Images" function is disabled, and this loading occurs unencrypted via HTTP, with the service following redirections. This behavior poses a risk as it allows the sender to determine that the email address is in use, when the email was read, the device used, and exposes the user's IP address.

Recommendations For versions prior to 119.10, update to version 119.10 to resolve the issue. As a temporary workaround, consider disabling the automatic loading of images in the email service settings to minimize the risk of exploitation. Restrict access to external content in emails to prevent unintended loading of resources. Avoid using the default setting that allows automatic reloading of images until the issue is resolved.