HomeAdvisoriesAirmail 3 for Mac

Airmail 3 for Mac

Scheme Handler Incorrect Access Control

Previous AdvisoryNext Advisory

CVE ID

CVE-2018-15667

Vendor

Bloop S.R.L.

Product

Airmail 3 for Mac

Product Version

3.5.9

Vulnerability Details

Airmail for Mac registers and uses the airmail:// URL scheme. The “send” command in the URL scheme allows an external application to send arbitrary emails from an active account without authentication.

The handler has no restriction on who can use its functionality. The handler can be invoked using any method that invokes the URL handler such as a hyperlink in an email. The user is not prompted when the handler processes the “send” command which automatically sends an attacker crafted email from the target account.

Learn more

Vendor Response

No response.

Disclosure Timeline

06.08.2018
Vendor disclosure via email
13.08.2018
Vendor notified via Support Page
21.08.2018
Vendor notified of the advisory release

Previous AdvisoryNext Advisory

A Look at RACI Models within Application Threat Modeling

Offensive Security

DevSecOps

GRC Services

Threat Intelligence

VS-Labs Security Research

Envisions Geopolitical Threat Report:

By Industry

Chrome Exploitation: How to easily launch a Chrome RCE+SBX exploit chain with one command

Security Resources

5 Steps to Implement an Application Threat Modeling Program

Who We Are

Airmail 3 for Mac

CVE ID

Vendor

Product

Product Version

Vulnerability Details

Vendor Response

Disclosure Timeline