{
  "id": "CVE-2024-45800",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2024-09-16T20:15:47.097",
  "lastModified": "2024-09-20T12:31:20.110",
  "vulnStatus": "Awaiting Analysis",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Snappymail is an open source web-based email client. SnappyMail uses the `cleanHtml()` function to cleanup HTML and CSS in emails. Research discovered that the function has a few bugs which cause an mXSS exploit. Because the function allowed too many (invalid) HTML elements, it was possible (with incorrect markup) to trick the browser to \"fix\" the broken markup into valid markup. As a result a motivated attacker may be able to inject javascript. However, due to the default Content Security Policy the impact of the exploit is minimal. It could be possible to create an attack which leaks some data when loading images through the proxy.\nThis way it might be possible to use the proxy to attack the local system, like with `http://localhost:5000/leak`. Another attack could be to load a JavaScript attachment of the email. This is very tricky as the email must link to every possible UID as each email has a unique UID which has a value between 1 and 18446744073709551615 **v2.38.0** and up now remove unsupported HTML elements which mitigates the issue. Users are advised to upgrade. Older versions can install an extension named \"Security mXSS\" as a mitigation. This will be available at the administration area at `/?admin#/packages`. **NOTE:** this extension can not \"fix\" malicious code in encrypted messages or (html) attachments as it can't manipulate the JavaScript code for this. It only protects normal message HTML."
    },
    {
      "lang": "es",
      "value": "Snappymail es un cliente de correo electr\u00f3nico basado en la web de c\u00f3digo abierto. SnappyMail utiliza la funci\u00f3n `cleanHtml()` para limpiar el HTML y CSS en los correos electr\u00f3nicos. La investigaci\u00f3n descubri\u00f3 que la funci\u00f3n tiene algunos errores que provocan un exploit mXSS. Debido a que la funci\u00f3n permit\u00eda demasiados elementos HTML (no v\u00e1lidos), era posible (con un marcado incorrecto) enga\u00f1ar al navegador para que \"arreglara\" el marcado roto y lo convirtiera en un marcado v\u00e1lido. Como resultado, un atacante motivado podr\u00eda ser capaz de inyectar JavaScript. Sin embargo, debido a la Pol\u00edtica de seguridad de contenido predeterminada, el impacto del exploit es m\u00ednimo. Podr\u00eda ser posible crear un ataque que filtre algunos datos al cargar im\u00e1genes a trav\u00e9s del proxy. De esta manera, podr\u00eda ser posible usar el proxy para atacar el sistema local, como con `http://localhost:5000/leak`. Otro ataque podr\u00eda ser cargar un archivo adjunto de JavaScript del correo electr\u00f3nico. Esto es muy complicado, ya que el correo electr\u00f3nico debe vincularse a cada UID posible, ya que cada correo electr\u00f3nico tiene un UID \u00fanico que tiene un valor entre 1 y 18446744073709551615 **v2.38.0** y versiones posteriores ahora eliminan los elementos HTML no compatibles, lo que mitiga el problema. Se recomienda a los usuarios que actualicen. Las versiones anteriores pueden instalar una extensi\u00f3n llamada \"Security mXSS\" como mitigaci\u00f3n. Estar\u00e1 disponible en el \u00e1rea de administraci\u00f3n en `/?admin#/packages`. **NOTA:** esta extensi\u00f3n no puede \"arreglar\" c\u00f3digo malicioso en mensajes cifrados o archivos adjuntos (html) ya que no puede manipular el c\u00f3digo JavaScript para esto. Solo protege el HTML de los mensajes normales."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
          "baseScore": 5.0,
          "baseSeverity": "MEDIUM",
          "attackVector": "NETWORK",
          "attackComplexity": "HIGH",
          "privilegesRequired": "NONE",
          "userInteraction": "REQUIRED",
          "scope": "UNCHANGED",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "availabilityImpact": "LOW"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 3.4
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/the-djmaze/snappymail/blob/master/dev/Common/Html.js",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/the-djmaze/snappymail/commit/cfbc47488a6b2e2ae4be484f501ee1a3485f542e",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/the-djmaze/snappymail/security/advisories/GHSA-2rq7-79vp-ffxm",
      "source": "security-advisories@github.com"
    }
  ]
}