Tutanota, DOM Manipulation Vulnerability, CVE-2024-29210 (Medium)

Listen to this Post

The vulnerability exists in how Tutanota processes contact data within the Mithril.js framework. User-controlled input from imported contact fields is improperly sanitized before being passed to Mithril’s `m()` hyperscript function, which creates virtual DOM nodes. An attacker can craft a contact field value containing closing square brackets and new attribute declarations, such as ][href=https://attacker.com][style=position:fixed;top:0;left:0;width:100vw;height:100vh;opacity:0;]. This payload prematurely closes the intended selector and injects malicious `href` and `style` attributes. When Mithril processes this selector string, it interprets the injected attributes as legitimate parts of the hypertext command, rendering a transparent, full-screen link that hijacks all user clicks.
Platform: Tutanota
Version: Pre-commit e28345f
Vulnerability: DOM Manipulation
Severity: Medium
Date: 2024-03-26

Prediction: 2024-04-02

What Undercode Say:

Simulating payload inspection
echo "Malicious Contact Snippet:" && cat malicious_contact.vcf
Example payload in context (simplified)
echo 'm("a", {href: "", "Contact Website"}, "][href=https://ddg.gg][style=position:fixed;width:150vw;height:200vh;]")'
// Hypothetical vulnerable code pattern
function renderContactField(value) {
// Unsanitized user input flows into m() selector
return m(<code>a[href=""][="Website"]</code>, value);
}

How Exploit:

  1. Create a VCF contact file with a crafted field value (e.g., website URL).
  2. The payload closes the original `a` tag selector and adds new attributes.
  3. Import this contact into an unpatched Tutanota client.
  4. When the victim views the malicious contact, a transparent, page-covering link is rendered.
  5. Any click redirects the victim to the attacker’s specified URL.

Protection from this CVE:

Apply the official patch from commit `tutao/tutanota@e28345f`.

Strictly validate and sanitize all user-supplied contact data before DOM integration.
Implement a Content Security Policy (CSP) to restrict unauthorized navigation.

Impact:

UI Redressing and Clickjacking leading to forced navigation. JavaScript execution is prevented by CSP.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top