GitHub_MCVELIST:CVE-2023-46116CVE-2023-46116 Remote Code Execution via insufficiently sanitized call to shell.openExternal
9.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
9.6 High
AI Score
Confidence
High
0.008 Low
EPSS
Percentile
81.8%
Tutanota (Tuta Mail) is an encrypted email provider. Tutanota allows users to open links in emails in external applications. Prior to version 3.118.12, it correctly blocks the file: URL scheme, which can be used by malicious actors to gain code execution on a victims computer, however fails to check other harmful schemes such as ftp:, smb:, etc. which can also be used. Successful exploitation of this vulnerability will enable an attacker to gain code execution on a victim’s computer. Version 3.118.2 contains a patch for this issue.
CNA Affected
[
{
"vendor": "tutao",
"product": "tutanota",
"versions": [
{
"version": "< 3.118.12",
"status": "affected"
}
]
}
]References
github.com/tutao/tutanota/blob/master/src/desktop/ApplicationWindow.ts#L417
github.com/tutao/tutanota/blob/master/src/desktop/ApplicationWindow.ts#L423
github.com/tutao/tutanota/commit/88ecad17d00d05a722399aed35f0d280899d55a2
github.com/tutao/tutanota/security/advisories/GHSA-mxgj-pq62-f644
user-images.githubusercontent.com/46137338/270564886-7a0389d3-f9ef-44e1-9f5e-57ccc72dcaa8.mp4
Related
9.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
9.6 High
AI Score
Confidence
High
0.008 Low
EPSS
Percentile
81.8%