Debian Long Term Support / LTS Security Information / 2023 / Security Information -- DLA-3435-1 rainloop

Debian Security Advisory

DLA-3435-1 rainloop -- LTS security update

Date Reported:

28 May 2023

Affected Packages:

rainloop

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 1004548.
In Mitre's CVE dictionary: CVE-2019-13389, CVE-2022-29360.

More information:

Cross-site scripting (XSS) vulnerabilities were found in rainloop, a web-based email client, which could lead to information disclosure including passphrase leak.

• CVE-2019-13389

  It was discovered that RainLoop Webmail lacked XSS protection mechanisms such as xlink:href validation, the X-XSS-Protection header, and the Content-Security-Policy header.

• CVE-2022-29360

  Simon Scannell discovered that RainLoop's Email Viewer allows XSS via a crafted text/html email message.

For Debian 10 buster, these problems have been fixed in version 1.12.1-2+deb10u1.

We recommend that you upgrade your rainloop packages.

For the detailed security status of rainloop please refer to its security tracker page at: https://security-tracker.debian.org/tracker/rainloop

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS