A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | AA | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Mail clients | Is affected by Mailsploit | Spoofing | XSS / Code Injection | Report date | Has been fixed | Notes | ||||||||||||||||||||
2 | Apple Mail.app MACOS IOS | YES | YES | NO | July 16, 2017 | FIXED AS OF 29 MAR. 2018 | All versions of macOS and iOS are affected. watchOS as well. Regarding the fix: https://twitter.com/pwnsdx/status/1008092924834349057 | ||||||||||||||||||||
3 | Mozilla Thunderbird / SeaMonkey MACOS WINDOWS | YES | YES | NO | August 21, 2017 | FIXED AS OF 22 DEC. 2017 | GOOD NEWS! Mozilla fixed the issue in Thunderbird. https://bugzilla.mozilla.org/show_bug.cgi?id=1423432 Original discussion was over email using PGP and resulted in a WON'T FIX. No bugzilla report was made. | ||||||||||||||||||||
4 | Mail for Windows 10 WINDOWS | YES | YES | NO | September 5, 2017 | TRIAGED | |||||||||||||||||||||
5 | Microsoft Outlook 2016 MACOS WINDOWS | YES | YES | NO | September 5, 2017 | FIXED AS OF 9 JAN. 2018 (MAC) | |||||||||||||||||||||
6 | Yahoo! Mail IOS | YES | YES | YES | August 26, 2017 | FIXED AS OF 19 OCT. 2017 | |||||||||||||||||||||
7 | Yahoo! Mail ANDROID | YES | YES | YES | August 26, 2017 | FIXED AS OF 19 OCT. 2017 | |||||||||||||||||||||
8 | [A bug bounty program that does not allow disclosure yet] ANDROID | YES | YES | NO | August 24, 2017 | TRIAGED | |||||||||||||||||||||
9 | [A bug bounty program that does not allow disclosure yet] IOS | YES | YES | YES | August 24, 2017 | TRIAGED | |||||||||||||||||||||
10 | Spark ≤ 1.4.1.392 MACOS | YES | YES | YES (+ FILE WRITING VIA ATTACHMENTS) | September 5, 2017 | REPORTED | File writing is limited by macOS sandbox | ||||||||||||||||||||
11 | Spark IOS | YES | YES | YES | September 5, 2017 | REPORTED | |||||||||||||||||||||
12 | ProtonMail ANDROID IOS | YES | YES | NO | August 24, 2017 | FIXED AS OF 1 SEPT. 2017 | |||||||||||||||||||||
13 | Polymail MACOS | YES | YES | YES | September 5, 2017 | REPORTED | File writing is NOT limited by macOS sandbox | ||||||||||||||||||||
14 | Airmail ≤ 3.3.3 MACOS | YES | NO | YES (+ FILE READING, FILE WRITING VIA ATTACHMENTS) | September 5, 2017 | REPORTED | File writing is limited by macOS sandbox | ||||||||||||||||||||
15 | BlueMail ≤ 1.9.2.62 ANDROID | YES | YES | YES | September 5, 2017 | REPORTED | |||||||||||||||||||||
16 | TypeApp ANDROID IOS | YES | YES | YES | September 5, 2017 | REPORTED | |||||||||||||||||||||
17 | AquaMail ANDROID | YES | YES | NO | September 5, 2017 | REPORTED | |||||||||||||||||||||
18 | Opera Mail MACOS WINDOWS | YES | YES (+ IN THE RAW SOURCE) | NO | September 5, 2017 | WON'T FIX | |||||||||||||||||||||
19 | Postbox ≤ 5.0.18 MACOS WINDOWS | YES | YES | NO | September 5, 2017 | REPORTED | |||||||||||||||||||||
20 | Newton ANDROID MACOS WINDOWS | YES | YES | YES | September 2, 2017 | FIXED AS OF 13 DEC. 2017 | |||||||||||||||||||||
21 | Guerrilla Mail ANDROID | YES | YES | NO | September 5, 2017 | WON'T FIX (NOT NECESSARY) | |||||||||||||||||||||
22 | Email Exchange + by MailWise ANDROID | YES | NO | YES (+ FILE WRITING VIA ATTACHMENTS) | September 5, 2017 | REPORTED | File writing is limited by Android sandbox | ||||||||||||||||||||
23 | AOL Mail ANDROID | YES | YES | NO BUT FILE WRITING VIA ATTACHMENTS | September 5, 2017 | REPORTED | File writing is limited by Android sandbox | ||||||||||||||||||||
24 | TouchMail WINDOWS | YES | YES | NO | September 5, 2017 | REPORTED | |||||||||||||||||||||
25 | Mailbird WINDOWS | NO | NO | YES | September 5, 2017 | REPORTED | |||||||||||||||||||||
26 | Gmail / Inbox by Gmail ANDROID IOS | NO | NO | NO | |||||||||||||||||||||||
27 | eM Client WINDOWS | NO | NO | NO | |||||||||||||||||||||||
28 | Claws Mail / Sylpheed WINDOWS | NO | NO | NO | |||||||||||||||||||||||
29 | OE Classic WINDOWS | NO | NO | NO | |||||||||||||||||||||||
30 | |||||||||||||||||||||||||||
31 | Webmail clients | Is affected by Mailsploit | Spoofing | XSS / Code Injection | Report date | Has been fixed | Notes | ||||||||||||||||||||
32 | Hushmail WEB | YES | YES | YES | August 27, 2017 | FIXED AS OF 27 AUG. 2017 | |||||||||||||||||||||
33 | Openmailbox.org WEB | YES | YES | YES (CAN MODIFY SENDER IN THE DOM AFTERWARDS) | August 27, 2017 | FIXED AS OF 27 AUG. 2017 | |||||||||||||||||||||
34 | [A bug bounty program that does not allow disclosure yet] WEB | YES | YES | NO | August 24, 2017 | TRIAGED | |||||||||||||||||||||
35 | Open Xchange (Mailbox.org, Namecheap Private Email...) WEB | YES | YES | NO | September 5, 2017 | FIXED AS OF 25 SEPT. 2017 | |||||||||||||||||||||
36 | ProtonMail WEB | YES | YES | NO | August 24, 2017 | FIXED AS OF 1 SEPT. 2017 | |||||||||||||||||||||
37 | Yahoo! Mail (new interface in beta) WEB | YES | YES | NO | August 26, 2017 | FIXED | |||||||||||||||||||||
38 | Mailfence WEB | YES | YES (LIST OF EMAILS ONLY) | YES (VIA EMAIL CONTENT) | November 25, 2017 | FIXED AS OF 27 NOV. 2017 | |||||||||||||||||||||
39 | Microsoft Outlook Web WEB | NO | NO | NO | |||||||||||||||||||||||
40 | Microsoft Exchange 2016 WEB | NO | NO | NO | |||||||||||||||||||||||
41 | Microsoft Office 365 WEB | NO | NO | NO | |||||||||||||||||||||||
42 | Gmail WEB | NO | NO | NO | |||||||||||||||||||||||
43 | Fastmail WEB | NO | NO | NO | |||||||||||||||||||||||
44 | GMX / Mail.com / 1&1 WEB | NO | NO | NO | |||||||||||||||||||||||
45 | |||||||||||||||||||||||||||
46 | Support ticket systems | Is affected by Mailsploit | Spoofing | XSS / Code Injection | Report date | Has been fixed | Notes | ||||||||||||||||||||
47 | Supportsystem WEB | YES | YES | NO | September 5, 2017 | REPORTED | |||||||||||||||||||||
48 | osTicket WEB | YES | YES | NO | September 5, 2017 | REPORTED | |||||||||||||||||||||
49 | Intercom WEB | YES | YES | NO | August 31, 2017 | FIXED AS OF 12 SEPT. 2017 | |||||||||||||||||||||
50 | |||||||||||||||||||||||||||
51 | Candidates found by the community | Is affected by Mailsploit | Spoofing | XSS / Code Injection | Report date | Has been fixed | Notes | ||||||||||||||||||||
52 | Vivaldi WEB | YES | YES | NO | December 5, 2017 | REPORTED | https://twitter.com/vivaldibrowser/status/938033903314534401 | ||||||||||||||||||||
53 | K-9 Mail ANDROID | YES | YES | UNKNOWN | December 5, 2017 | REPORTED | https://github.com/k9mail/k-9/issues/2962 | ||||||||||||||||||||
54 | [A bug bounty program that does not allow disclosure yet] WEB | YES | YES | UNKNOWN | December 5, 2017 | REPORTED | |||||||||||||||||||||
55 | MailMate MACOS | YES | YES | UNKNOWN | December 5, 2017 | FIXED AS OF 6 DEC. 2017 | https://blog.freron.com/2017/mailmate-1-10-released/ | ||||||||||||||||||||
56 | Modoboa WEB | YES | YES | UNKNOWN | December 8, 2017 | FIXED AS OF 8 DEC. 2017 | https://github.com/modoboa/modoboa/issues/1323#issue-280443020 | ||||||||||||||||||||
57 | Edison Mail IOS ANDROID | YES | NO | YES | December 13, 2017 | REPORTED | |||||||||||||||||||||
58 | The Bat! WINDOWS | YES | YES | UNKNOWN | FIXED AS OF 10 JAN. 2018 | ||||||||||||||||||||||
59 | eM Client WINDOWS | NO | NO | NO | |||||||||||||||||||||||
60 | Tutanota WEB | NO | NO | NO | |||||||||||||||||||||||
61 | Sylpheed 3.6.0 LINUX | NO | NO | UNKNOWN | |||||||||||||||||||||||
62 | Jolla Mail SAILFISH OS BY JOLLA | YES | YES | UNKNOWN | December 5, 2017 | REPORTED | https://together.jolla.com/question/175540/mailsploit-and-jolla-email-client/ | ||||||||||||||||||||
63 | RainLoop WEB | YES | YES | UNKNOWN | December 5, 2017 | REPORTED | https://github.com/RainLoop/rainloop-webmail/issues/1591 | ||||||||||||||||||||
64 | IBM Notes WEB | YES | YES | UNKNOWN | According to 2 different anonymous sources | ||||||||||||||||||||||
65 | IBM Verse WEB | YES | YES | UNKNOWN | According to an anonymous source | ||||||||||||||||||||||
66 | IBM Verse ANDROID IOS | YES | YES | UNKNOWN | According to an anonymous source | ||||||||||||||||||||||
67 | NINE Email & Calendar ANDROID | YES | YES | UNKNOWN | According to Greg Foss in the comments | ||||||||||||||||||||||
68 | Roundcube WEB | NO | NO | NO | |||||||||||||||||||||||
69 | Mutt LINUX | NO | NO | UNKNOWN | |||||||||||||||||||||||
70 | KMail LINUX | NO | NO | NO | |||||||||||||||||||||||
71 | * Blue = Not confirmed by myself / vendor | ||||||||||||||||||||||||||
72 | |||||||||||||||||||||||||||
73 | |||||||||||||||||||||||||||
74 | |||||||||||||||||||||||||||
75 | |||||||||||||||||||||||||||
76 | |||||||||||||||||||||||||||
77 | |||||||||||||||||||||||||||
78 | |||||||||||||||||||||||||||
79 | |||||||||||||||||||||||||||
80 | |||||||||||||||||||||||||||
81 | |||||||||||||||||||||||||||
82 | |||||||||||||||||||||||||||
83 | |||||||||||||||||||||||||||
84 | |||||||||||||||||||||||||||
85 | |||||||||||||||||||||||||||
86 | |||||||||||||||||||||||||||
87 | |||||||||||||||||||||||||||
88 | |||||||||||||||||||||||||||
89 | |||||||||||||||||||||||||||
90 | |||||||||||||||||||||||||||
91 | |||||||||||||||||||||||||||
92 | |||||||||||||||||||||||||||
93 | |||||||||||||||||||||||||||
94 | |||||||||||||||||||||||||||
95 | |||||||||||||||||||||||||||
96 | |||||||||||||||||||||||||||
97 | |||||||||||||||||||||||||||
98 | |||||||||||||||||||||||||||
99 | |||||||||||||||||||||||||||
100 |