AliasVault Web Client: Malicious Emails Can Execute Code

Summary

A security issue was found in AliasVault's email feature, which could allow an attacker to run malicious code on your computer if you view a specially crafted email in the web client. This affects versions 0.25.3 and lower of AliasVault. To protect yourself, update to the latest version of AliasVault, which fixes this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
aliasvault	aliasvault	<= 0.26.0	–

Original title

AliasVault is a privacy-first password manager with built-in email aliasing. A stored cross-site scripting (XSS) vulnerability was identified in the email rendering feature of AliasVault Web Client...

Original description

AliasVault is a privacy-first password manager with built-in email aliasing. A stored cross-site scripting (XSS) vulnerability was identified in the email rendering feature of AliasVault Web Client versions 0.25.3 and lower. When viewing received emails on an alias, the HTML content is rendered in an iframe using srcdoc, which does not provide origin isolation. An attacker can send a crafted email containing malicious JavaScript to any AliasVault email alias. When the victim views the email in the web client, the script executes in the same origin as the application. No sanitization or sandboxing was applied to email HTML content before rendering. This vulnerability is fixed in 0.26.0.[

nvd CVSS3.1 6.1

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://github.com/aliasvault/aliasvault/commit/382e2e96fa502891638a48404f6d82dc... Patch
https://github.com/aliasvault/aliasvault/releases/tag/0.26.0 Release Notes
https://github.com/aliasvault/aliasvault/security/advisories/GHSA-f65p-p65r-g53q Patch Vendor Advisory Mitigation