QwikSec

Security Database

CVE

CWE

Training

CVE-2023-46116

Published: Dec 15, 2023

Modified: Oct 8, 2024

PUBLISHED

CVSS v3.1

9.3

CRITICAL

Description

Tutanota (Tuta Mail) is an encrypted email provider. Tutanota allows users to open links in emails in external applications. Prior to version 3.118.12, it correctly blocks the `file:` URL scheme, which can be used by malicious actors to gain code execution on a victims computer, however fails to check other harmful schemes such as `ftp:`, `smb:`, etc. which can also be used. Successful exploitation of this vulnerability will enable an attacker to gain code execution on a victim's computer. Version 3.118.2 contains a patch for this issue.

Vendor	Product	Versions
tutao	tutanota	affected `< 3.118.12`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/tutao/tutanota/security/advisories/GHSA-mxgj-pq62-f644

x_refsource_CONFIRM

https://github.com/tutao/tutanota/commit/88ecad17d00d05a722399aed35f0d280899d55a2

x_refsource_MISC

https://github.com/tutao/tutanota/blob/master/src/desktop/ApplicationWindow.ts#L417

x_refsource_MISC

https://github.com/tutao/tutanota/blob/master/src/desktop/ApplicationWindow.ts#L423

x_refsource_MISC

https://user-images.githubusercontent.com/46137338/270564886-7a0389d3-f9ef-44e1-9f5e-57ccc72dcaa8.mp4

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.