Sec: Fix CVE-2022-29360 XSS vulnerability

[sadsfae]

• PR including the XSS patch for CVE-2022-29360

(patch credit)

• https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29360

[Neustradamus]

@RainLoop: Can you look?

[nerzhul]

project seems dead author or company just resigned :(

[Neustradamus]

Please use SnappyMail from @the-djmaze, we can thanks for this work!

• https://snappymail.eu/
• https://github.com/the-djmaze/snappymail/

Please note that SnappyMail supports SCRAM-SHA-* for connection, very good security:

• SCRAM-SHA-1-PLUS + SCRAM-SHA-256-PLUS + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports the-djmaze/snappymail#182
• https://github.com/the-djmaze/snappymail/blob/master/snappymail/v/0.0.0/app/libraries/RainLoop/Model/Account.php

Linked to:

• RainLoop is dead, if possible switch to SnappyMail: https://github.com/the-djmaze/snappymail #2185
• Sec: Fix CVE-2022-29360 XSS vulnerability #2183
• Please fix the exploit, thanks! CVE-2022-29360 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29360 https://www.ddosi.org/cve-2022-29360/ https://www.youtube.com/watch?v=6dSiQH0pijk #2180
• Jan 2022: Is rainloop still maintained? #2162
• Security Contact for high severity Security Issue #2142
• Security Vulnerability "/_data_/…/storage/cfg/…/…/accounts" #2134
• Is this project dead? #1831

[RainLoop]

Fixed

[Neustradamus]

@RainLoop: Where is the fix?

[RainLoop]

#2187
https://github.com/RainLoop/rainloop-webmail/pull/2187/files#diff-22b1d644ea4075b18f15da66d7f277924b8df180700f379cb6eef964a9736c07R242

[sadsfae]

Welcome back @RainLoop

[ShamimIslam]

This issue is fixed. Let's back off from the hype. The replacement body item is now random hash. Thanks. v0.17 does not have this.