CVE-2019-12366

Vulnerability

The Nine Email application through version 4.5.3a for Android is vulnerable to cross-site scripting (XSS) via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission [1]. This allows an attacker to inject malicious JavaScript into a WebView that may be used to access sensitive data or load files from external storage.

Exploitation

An attacker with network position to inject content (e.g., via a malicious email) can craft an email containing event attributes or src attributes that, when rendered in Nine's WebView, execute JavaScript. The user must have granted the READ_EXTERNAL_STORAGE permission, which is commonly requested by file attachment features [1]. No additional authentication is required beyond normal email access.

Impact

Successful exploitation allows an attacker to steal data from the WebView context, including email content and possibly files from external storage via the src attribute file loading. This can lead to information disclosure and potential privilege escalation if combined with other vulnerabilities [1].

Mitigation

No fixed version has been released as of the publication date (2020-03-18) and the vendor did not reply to the researcher [1]. Users should consider removing the READ_EXTERNAL_STORAGE permission via Android settings if the app still functions, or migrate to an alternative email client. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.