ImportExportTools NG HTML Injection Vulnerability

A persistent HTML injection vulnerability has been identified in the ImportExportTools NG version 10.0.4 for Mozilla Thunderbird. This vulnerability resides in the email export module, where the subject line of emails is not properly sanitized. As a result, remote attackers can inject malicious HTML that is executed during the export process, potentially compromising user data or session credentials.

Impact

Exploitation of this vulnerability allows for HTML injection, where injected HTML is executed in the context of the application, potentially leading to the execution of malicious scripts or the manipulation of exported data.

Reproduction

To reproduce this vulnerability, install Mozilla Thunderbird and the ImportExportTools NG version 10.0.4. Then, send an email to the target inbox with a crafted HTML payload in the subject line. After that, export the inbox content as HTML using the ImportExportTools NG extension. The injected HTML payload will execute in the exported file, demonstrating the vulnerability.

Remediation

Users are advised to update to ImportExportTools NG version 14.1.15, which addresses the HTML injection vulnerability by sanitizing and encoding subject content before export.