N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-24v3-254g-jv85

GHSA-24v3-254g-jv85: Tuta Mail has DOM attribute and CSS injection in its Contact Viewer feature

Impact

Users importing contacts from untrusted sources.

Specifically crafted contact data can lead to some of DOM modifications for the link button next to the field e.g. the link address can be overriden. CSS can be manipulated to give the button arbitrary look and change it's size so that any click on the screen would lead to the specified URL. Modifying event listeners does not seem to be possible so no JS can be executed (which would also be prevented by CSP).

Technical details

The data is included as part of the mithril's hyperscript selector. It is possible to define a value like ][href=https://ddg.gg][style=position:fixed;width:150vw;height:200vh which will be included in the selector passed to Mithril and will be interpreted as part of the code.

Patches

https://github.com/tutao/tutanota/commit/e28345f5f78f628f9d5c04e785f79543f01dca8b

Workarounds

Do not open contact viewer on unpatched versions. If the contact was opened, close the app or use keyboard shortcuts to switch to another part of the app.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-24v3-254g-jv85

GHSA-24v3-254g-jv85:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@tutao/tutanota-utils	npm	< 314.251111.0	314.251111.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the ContactViewer.ts file, where several private methods (_renderSocialId, _renderWebsite, _renderMessengerHandle, _renderPhone, _renderAddress) were using string concatenation to build Mithril hyperscript selectors. This is a classic injection vulnerability. An attacker could craft a contact with a malicious value in one of the fields (e.g., social ID, website URL). When the contact is viewed, the malicious string would be embedded into the selector, allowing the attacker to inject arbitrary HTML attributes and CSS. This could be used to, for example, create a large, invisible link that covers the entire screen and points to a malicious website, tricking the user into clicking it.

The patch fixes this by changing the Mithril hyperscript calls from m('a[href=...]') to m('a', { href: ... }). This latter form is safe from injection because Mithril treats the attributes as a data object and properly escapes them, rather than parsing them from a string. The identified functions are the ones that contained these vulnerable calls and would be on the call stack when a malicious contact is rendered.

Vulnerable functions

ContactViewer._renderSocialId

src/mail-app/contacts/view/ContactViewer.ts

The function uses string interpolation to construct a Mithril hyperscript selector. A malicious `contactSocialId` can contain characters that break out of the `href` attribute and inject other attributes, such as `style`, leading to UI manipulation and potential phishing attacks.

ContactViewer._renderWebsite

src/mail-app/contacts/view/ContactViewer.ts

The function uses string interpolation to construct a Mithril hyperscript selector. A malicious `website.url` can contain characters that break out of the `href` attribute and inject other attributes, such as `style`, leading to UI manipulation and potential phishing attacks.

ContactViewer._renderMessengerHandle

src/mail-app/contacts/view/ContactViewer.ts

The function uses string interpolation to construct a Mithril hyperscript selector. A malicious `messengerHandle` URL can contain characters that break out of the `href` attribute and inject other attributes, such as `style`, leading to UI manipulation and potential phishing attacks.

ContactViewer._renderPhone

src/mail-app/contacts/view/ContactViewer.ts

The function uses string interpolation to construct a Mithril hyperscript selector. A malicious `phone.number` can contain characters that break out of the `href` attribute and inject other attributes, such as `style`, leading to UI manipulation and potential phishing attacks.

ContactViewer._renderAddress

src/mail-app/contacts/view/ContactViewer.ts

The function uses string interpolation to construct a Mithril hyperscript selector. A malicious `prepAddress` can contain characters that break out of the `href` attribute and inject other attributes, such as `style`, leading to UI manipulation and potential phishing attacks.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-24v3-254g-jv85: Tuta Mail has DOM attribute and CSS injection in its Contact Viewer feature

Impact

Technical details

Patches

Workarounds

GHSA-24v3-254g-jv85:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-24v3-254g-jv85: Tuta Mail has DOM attribute and CSS injection in its Contact Viewer feature

Impact

Technical details

Patches

Workarounds

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI