Search criteria
3 vulnerabilities by tuta
CVE-2024-23655 (GCVE-0-2024-23655)
Vulnerability from cvelistv5 – Published: 2024-01-25 19:38 – Updated: 2024-11-13 15:38
VLAI?
Title
Attacker can prevent users from accessing received emails
Summary
Tuta is an encrypted email service. Starting in version 3.118.12 and prior to version 3.119.10, an attacker is able to send a manipulated email so that the user can no longer use the app to get access to received emails. By sending a manipulated email, an attacker could put the app into an unusable state. In this case, a user can no longer access received e-mails. Since the vulnerability affects not only the app, but also the web application, a user in this case has no way to access received emails. This issue was tested with iOS and the web app, but it is possible all clients are affected. Version 3.119.10 fixes this issue.
Severity ?
7.5 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:25.288Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/tutao/tutanota/security/advisories/GHSA-5h47-g927-629g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tutao/tutanota/security/advisories/GHSA-5h47-g927-629g"
},
{
"name": "https://github.com/tutao/tutanota/releases/tag/tutanota-release-3.119.10",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tutao/tutanota/releases/tag/tutanota-release-3.119.10"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23655",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-30T19:19:11.074757Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-13T15:38:45.987Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tutanota",
"vendor": "tutao",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.118.12, \u003c 3.119.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tuta is an encrypted email service. Starting in version 3.118.12 and prior to version 3.119.10, an attacker is able to send a manipulated email so that the user can no longer use the app to get access to received emails. By sending a manipulated email, an attacker could put the app into an unusable state. In this case, a user can no longer access received e-mails. Since the vulnerability affects not only the app, but also the web application, a user in this case has no way to access received emails. This issue was tested with iOS and the web app, but it is possible all clients are affected. Version 3.119.10 fixes this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-25T19:38:18.916Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tutao/tutanota/security/advisories/GHSA-5h47-g927-629g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tutao/tutanota/security/advisories/GHSA-5h47-g927-629g"
},
{
"name": "https://github.com/tutao/tutanota/releases/tag/tutanota-release-3.119.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tutao/tutanota/releases/tag/tutanota-release-3.119.10"
}
],
"source": {
"advisory": "GHSA-5h47-g927-629g",
"discovery": "UNKNOWN"
},
"title": "Attacker can prevent users from accessing received emails"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23655",
"datePublished": "2024-01-25T19:38:18.916Z",
"dateReserved": "2024-01-19T00:18:53.235Z",
"dateUpdated": "2024-11-13T15:38:45.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23330 (GCVE-0-2024-23330)
Vulnerability from cvelistv5 – Published: 2024-01-23 17:22 – Updated: 2025-05-30 14:19
VLAI?
Title
Tuta loads images from external resources
Summary
Tuta is an encrypted email service. In versions prior to 119.10, an attacker can attach an image in a html mail which is loaded from external resource in the default setting, which should prevent loading of external resources. When displaying emails containing external content, they should be loaded by default only after confirmation by the user. However, it could be recognized that certain embedded images (see PoC) are loaded, even though the "Automatic Reloading of Images" function is disabled by default. The reloading is also done unencrypted via HTTP and redirections are followed. This behavior is unexpected for the user, since the user assumes that external content will only be loaded after explicit manual confirmation. The loading of external content in e-mails represents a risk, because this makes the sender aware that the e-mail address is used, when the e-mail was read, which device is used and expose the user's IP address. Version 119.10 contains a patch for this issue.
Severity ?
5.3 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:59:32.246Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/tutao/tutanota/security/advisories/GHSA-32w8-v5fc-vpp7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tutao/tutanota/security/advisories/GHSA-32w8-v5fc-vpp7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23330",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:34:27.751178Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T14:19:01.910Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tutanota",
"vendor": "tutao",
"versions": [
{
"status": "affected",
"version": "\u003c 119.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tuta is an encrypted email service. In versions prior to 119.10, an attacker can attach an image in a html mail which is loaded from external resource in the default setting, which should prevent loading of external resources. When displaying emails containing external content, they should be loaded by default only after confirmation by the user. However, it could be recognized that certain embedded images (see PoC) are loaded, even though the \"Automatic Reloading of Images\" function is disabled by default. The reloading is also done unencrypted via HTTP and redirections are followed. This behavior is unexpected for the user, since the user assumes that external content will only be loaded after explicit manual confirmation. The loading of external content in e-mails represents a risk, because this makes the sender aware that the e-mail address is used, when the e-mail was read, which device is used and expose the user\u0027s IP address. Version 119.10 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T17:22:25.503Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tutao/tutanota/security/advisories/GHSA-32w8-v5fc-vpp7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tutao/tutanota/security/advisories/GHSA-32w8-v5fc-vpp7"
}
],
"source": {
"advisory": "GHSA-32w8-v5fc-vpp7",
"discovery": "UNKNOWN"
},
"title": "Tuta loads images from external resources"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23330",
"datePublished": "2024-01-23T17:22:25.503Z",
"dateReserved": "2024-01-15T15:19:19.442Z",
"dateUpdated": "2025-05-30T14:19:01.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46116 (GCVE-0-2023-46116)
Vulnerability from cvelistv5 – Published: 2023-12-15 13:44 – Updated: 2024-10-08 14:14
VLAI?
Title
Remote Code Execution via insufficiently sanitized call to shell.openExternal
Summary
Tutanota (Tuta Mail) is an encrypted email provider. Tutanota allows users to open links in emails in external applications. Prior to version 3.118.12, it correctly blocks the `file:` URL scheme, which can be used by malicious actors to gain code execution on a victims computer, however fails to check other harmful schemes such as `ftp:`, `smb:`, etc. which can also be used. Successful exploitation of this vulnerability will enable an attacker to gain code execution on a victim's computer. Version 3.118.2 contains a patch for this issue.
Severity ?
9.3 (Critical)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:39.493Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/tutao/tutanota/security/advisories/GHSA-mxgj-pq62-f644",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tutao/tutanota/security/advisories/GHSA-mxgj-pq62-f644"
},
{
"name": "https://github.com/tutao/tutanota/commit/88ecad17d00d05a722399aed35f0d280899d55a2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tutao/tutanota/commit/88ecad17d00d05a722399aed35f0d280899d55a2"
},
{
"name": "https://github.com/tutao/tutanota/blob/master/src/desktop/ApplicationWindow.ts#L417",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tutao/tutanota/blob/master/src/desktop/ApplicationWindow.ts#L417"
},
{
"name": "https://github.com/tutao/tutanota/blob/master/src/desktop/ApplicationWindow.ts#L423",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tutao/tutanota/blob/master/src/desktop/ApplicationWindow.ts#L423"
},
{
"name": "https://user-images.githubusercontent.com/46137338/270564886-7a0389d3-f9ef-44e1-9f5e-57ccc72dcaa8.mp4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://user-images.githubusercontent.com/46137338/270564886-7a0389d3-f9ef-44e1-9f5e-57ccc72dcaa8.mp4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46116",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-26T20:19:04.221033Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T14:14:03.776Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tutanota",
"vendor": "tutao",
"versions": [
{
"status": "affected",
"version": "\u003c 3.118.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tutanota (Tuta Mail) is an encrypted email provider. Tutanota allows users to open links in emails in external applications. Prior to version 3.118.12, it correctly blocks the `file:` URL scheme, which can be used by malicious actors to gain code execution on a victims computer, however fails to check other harmful schemes such as `ftp:`, `smb:`, etc. which can also be used. Successful exploitation of this vulnerability will enable an attacker to gain code execution on a victim\u0027s computer. Version 3.118.2 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-15T13:44:05.153Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tutao/tutanota/security/advisories/GHSA-mxgj-pq62-f644",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tutao/tutanota/security/advisories/GHSA-mxgj-pq62-f644"
},
{
"name": "https://github.com/tutao/tutanota/commit/88ecad17d00d05a722399aed35f0d280899d55a2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tutao/tutanota/commit/88ecad17d00d05a722399aed35f0d280899d55a2"
},
{
"name": "https://github.com/tutao/tutanota/blob/master/src/desktop/ApplicationWindow.ts#L417",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tutao/tutanota/blob/master/src/desktop/ApplicationWindow.ts#L417"
},
{
"name": "https://github.com/tutao/tutanota/blob/master/src/desktop/ApplicationWindow.ts#L423",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tutao/tutanota/blob/master/src/desktop/ApplicationWindow.ts#L423"
},
{
"name": "https://user-images.githubusercontent.com/46137338/270564886-7a0389d3-f9ef-44e1-9f5e-57ccc72dcaa8.mp4",
"tags": [
"x_refsource_MISC"
],
"url": "https://user-images.githubusercontent.com/46137338/270564886-7a0389d3-f9ef-44e1-9f5e-57ccc72dcaa8.mp4"
}
],
"source": {
"advisory": "GHSA-mxgj-pq62-f644",
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution via insufficiently sanitized call to shell.openExternal"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46116",
"datePublished": "2023-12-15T13:44:05.153Z",
"dateReserved": "2023-10-16T17:51:35.570Z",
"dateUpdated": "2024-10-08T14:14:03.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}