Advisory Cross-Site Scripting Vulnerability in MinuteInbox

(A detailed security advisory, written in English, can be found below.)

Die Schwachstelle lässt sich ausnutzen, indem eine E-Mail an eine von MinuteInbox generierte temporäre E-Mail-Adresse gesendet wird. Öffnet der Empfänger die E-Mail, wird im E-Mail-Body enthaltenes JavaScript ausgeführt. Enthält diese E-Mail JavaScript im Betreff, wird der Code beim Empfänger sogar ohne weitere Interaktion ausgeführt, sofern er sich auf der Nachrichteneingangsseite befindet, da diese automatisch neu geladen wird:

Detailed security advisory:

Advisory ID: TO-2019-002
Product: MinuteInbox
Vendor: unknown
Tested Version: n/a Vulnerability
Type: Persistent Cross-Site Scripting
CVSS Risk: 4.8 (Medium)
CVSSv3: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Solution Status: Use alternative product
CWE Reference: CWE-79: Improper Neutralization of Input During Web Page Generation (‚Cross-site Scripting‘)
Author of Advisory: David Rieger

========================================================================

Overview:
MinuteInbox provides a disposable e-mail service. When visiting the application hosted on minuteinbox.com, a random e-mail address is generated which the visitor can use for up to one month for receiving e-mail without revealing their personal e-mail address to a service. The application contains a cross-site scripting vulnerability which is triggered upon receiving and/or viewing a message.

========================================================================

Vulnerability Details:
The vulnerability can be exploited by sending an e-mail to a temporary e-mail address obtained from minuteinbox.com. JavaScript included in the e-mail body is executed upon opening the received e-mail on minuteinbox.com. When JavaScript is used in the subject of the message, code is executed in the inbox view. This view is automatically refreshed periodically, so no user interaction is required for code execution.

========================================================================

Solution:
An alternative service should be used until the vulnerability is patched.

========================================================================

Disclosure Timeline:
05/14/2019 publication since no reply has been received
02/09/2019 contacted vendor again via e-mail
02/08/2019 contacted vendor again via contact form
02/04/2019 – 02/08/2019 Contacted Metronet (author of MinuteInbox according to meta tag), NUKIB (Czech CERT) and Ignum (hoster)
11/28/2018 contacted vendor again via e-mail
11/20/2018 contacted vendor via contact form on minuteinbox.com as well as e-mail

========================================================================

References:
* Product website: https://www.minuteinbox.com/
* Security advisory: https://blog.to.com/advisory-minuteinbox

========================================================================

Credits:
This vulnerability was discovered by David Rieger. Dimitri Lesy and Tobias Györfi provided helpful advice regarding this advisory.

========================================================================

Disclaimer:
The information provided in this security advisory is provided „as is“ and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on to.com.

========================================================================

Copyright:
Creative Commons – Attribution (by) – Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en