RainLoop Webmail

An unpatched high-severity protection imperfection has actually been revealed in the open-source RainLoop online e-mail customer that can be weaponized to siphon e-mails from targets’ inboxes.

” The code susceptability […] can be conveniently manipulated by an opponent by sending out a harmful e-mail to a sufferer that makes use of RainLoop as a mail customer,” SonarSource protection scientist Simon Scannell said in a record released today.

” When the e-mail is seen by the sufferer, the aggressor gains complete control over the session of the sufferer as well as can swipe any one of their e-mails, consisting of those which contain very delicate info such as passwords, records, as well as password reset web links.”


Tracked as CVE-2022-29360, the imperfection associates with a saved cross-site-scripting (XSS) susceptability influencing the most recent variation of RainLoop (v1.16.0) that was launched on May 7, 2021.

Saved XSS imperfections, likewise called consistent XSS, take place when a harmful manuscript is infused straight right into a target internet application’s web server using customer input (e.g., comment area) that’s completely kept in a data source as well as is later offered to various other customers.

Affecting all RainLoop setups running under default setups, assault chains leveraging the imperfection can take the type of a specifically crafted e-mail sent out to possible targets that, when seen, implements a harmful JavaScript haul in the internet browser without calling for any type of customer communication.


SonarSource, in its disclosure timeline, claimed that it alerted the maintainers of RainLoop of the pest on November 30, 2021, which the software program manufacturer has actually stopped working to provide a repair for greater than 4 months.

An issue increased on GitHub by the Swiss code high quality as well as protection business on December 6, 2021, continues to be open up to day. We have actually connected to RainLoop for remark, as well as we will certainly upgrade the tale if we listen to back.

In the lack of spots, SonarSource is suggesting customers to move to a RainLoop fork called SnappyMail, which is proactively preserved as well as unaffected by the protection problem.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.