Tutanota
CVE-2023-46116
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Tutanota (Tuta Mail) is an encrypted email provider. Tutanota allows users to open links in emails in external applications. Prior to version 3.118.12, it correctly blocks the file: URL scheme, which can be used by malicious actors to gain code execution on a victims computer, however fails to check other harmful schemes such as ftp:, smb:, etc. which can also be used. Successful exploitation of this vulnerability will enable an attacker to gain code execution on a victim's computer. Version 3.118.2 contains a patch for this issue.
AnalysisAI
Tutanota (Tuta Mail) is an encrypted email provider. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-20. Tutanota (Tuta Mail) is an encrypted email provider. Tutanota allows users to open links in emails in external applications. Prior to version 3.118.12, it correctly blocks the file: URL scheme, which can be used by malicious actors to gain code execution on a victims computer, however fails to check other harmful schemes such as ftp:, smb:, etc. which can also be used. Successful exploitation of this vulnerability will enable an attacker to gain code execution on a victim's computer. Version 3.118.2 contains a patch for this issue. Affected products include: Tuta Tutanota. Version information: version 3.118.12.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Tuta is an encrypted email service. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no aut
Tuta is an encrypted email service. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no aut
Same weakness CWE-20 – Improper Input Validation
View allShare
External POC / Exploit Code
Leaving vuln.today