Debian Security Advisory

DLA-3435-1 rainloop -- LTS security update

Date Reported:
28 May 2023
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 1004548.
In Mitre's CVE dictionary: CVE-2019-13389, CVE-2022-29360.
More information:

Cross-site scripting (XSS) vulnerabilities were found in rainloop, a web-based email client, which could lead to information disclosure including passphrase leak.

  • CVE-2019-13389

    It was discovered that RainLoop Webmail lacked XSS protection mechanisms such as xlink:href validation, the X-XSS-Protection header, and the Content-Security-Policy header.

  • CVE-2022-29360

    Simon Scannell discovered that RainLoop's Email Viewer allows XSS via a crafted text/html email message.

For Debian 10 buster, these problems have been fixed in version 1.12.1-2+deb10u1.

We recommend that you upgrade your rainloop packages.

For the detailed security status of rainloop please refer to its security tracker page at:

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: