CVE-2023-46116 Information

Dec 16, 2023 cve

Description

Tutanota (Tuta Mail) is an encrypted email provider. Tutanota allows users to open links in emails in external applications. Prior to version 3.118.12 it correctly blocks the file: URL scheme which can be used by malicious actors to gain code execution on a victims computer however fails to check other harmful schemes such as ftp: smb: etc. which can also be used. Successful exploitation of this vulnerability will enable an attacker to gain code execution on a victim’s computer. Version 3.118.2 contains a patch for this issue.

Reference

https://github.com/tutao/tutanota/security/advisories/GHSA-mxgj-pq62-f644 https://github.com/tutao/tutanota/commit/88ecad17d00d05a722399aed35f0d280899d55a2 https://github.com/tutao/tutanota/blob/master/src/desktop/ApplicationWindow.ts#L417 https://github.com/tutao/tutanota/blob/master/src/desktop/ApplicationWindow.ts#L423 https://user-images.githubusercontent.com/46137338/270564886-7a0389d3-f9ef-44e1-9f5e-57ccc72dcaa8.mp4

Share on: