Google AOSP Email for Android开放重定向漏洞 CNVD-2015-07759
The Google AOSP Email App is vulnerable to HTML Injection on the email body. It allows a remote attacker to be able to send a crafted email with a payload that redirects the user to a target url as soon as he opens the email. This issue is not related with the email provider configured on the app but with the incorrect filter of potential dangerous tags on the client side. This app is available in all Android versions up to Kitkat(4.4.4). This application exists because up until Gmail for Android 5.0, it was the only way to configure other email providers (Exchange Servers, Yahoo,Hotmail,etc) on Android. From Android Lolipop (5.0) upwards , the AOSP app no longer exists in the system. Since probably that are still a lot of users using the AOSP Email App we decided to contact Google regarding this issue. After some interactions, Google gave us the feedback that they don’t have plans for the fix of this vulnerability. The vulnerability can be confirmed by sending a HTML email with...
