CVE-2019-12367: 
NixOS vulnerability analysis and mitigation

The BlueMail Android application through version 1.9.5.36 contains a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious code via an event attribute and arbitrary file loading through a src attribute. This vulnerability is exploitable when the application has the READ_EXTERNAL_STORAGE permission (NVD, Gubello Blog).

The vulnerability exists in the Android WebView component implementation within BlueMail version 1.9.5.36. The application incorrectly handles JavaScript interfaces in the WebView, allowing for cross-site scripting attacks. The vulnerability is particularly concerning because it requires the READ_EXTERNAL_STORAGE permission, which is commonly granted to email applications (Gubello Blog).

The vulnerability could allow attackers to execute arbitrary JavaScript code within the context of the application's WebView. This could potentially lead to data theft, especially in cases where setAllowUniversalAccessFromFileURLs is set to True, which expands the attack surface (Gubello Blog).

The vendor was notified of the vulnerability but did not respond to the initial disclosure according to the researcher's report. Users should update to versions newer than 1.9.5.36 if available, or consider using alternative email clients with proper security implementations (Gubello Blog).