Description
Tutanota (Tuta Mail) is an encrypted email provider. Tutanota allows users to open links in emails in external applications. Prior to version 3.118.12, it correctly blocks the `file:` URL scheme, which can be used by malicious actors to gain code execution on a victims computer, however fails to check other harmful schemes such as `ftp:`, `smb:`, etc. which can also be used. Successful exploitation of this vulnerability will enable an attacker to gain code execution on a victim's computer. Version 3.118.2 contains a patch for this issue.
References (5)
Core 5
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/tutao/tutanota/security/advisories/GHSA-mxgj-pq62-f644
Patch x_refsource_misc
https://github.com/tutao/tutanota/commit/88ecad17d00d05a722399aed35f0d280899d55a2
Product x_refsource_misc
https://github.com/tutao/tutanota/blob/master/src/desktop/ApplicationWindow.ts#L417
Product x_refsource_misc
https://github.com/tutao/tutanota/blob/master/src/desktop/ApplicationWindow.ts#L423
Scores
CVSS v3
9.3
EPSS
0.0066
EPSS Percentile
71.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-20
Status
published
Products (1)
tuta/tutanota
< 3.118.12
Published
Dec 15, 2023
Tracked Since
Feb 18, 2026