Vulnerability DatabaseCVE-2024-23330

CVE-2024-23330:
Homebrew vulnerability analysis and mitigation

Overview

Tuta (formerly Tutanota), an encrypted email service, was found to contain a vulnerability in versions prior to 119.10 where external images in HTML emails could be loaded automatically despite disabled settings. This vulnerability was discovered in January 2024 and assigned CVE-2024-23330 (GitHub Advisory).

Technical details

The vulnerability stems from a bypass of the 'Automatic Reloading of Images' function. When this feature is disabled, certain embedded images are still loaded automatically, including over unencrypted HTTP connections, and redirections are followed. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified as Server-Side Request Forgery (SSRF) under CWE-918 (NVD).

Impact

The vulnerability exposes users to privacy risks as it allows email senders to determine when an email is read, collect information about the recipient's device, and obtain the user's IP address. This occurs without the user's explicit consent or awareness, contradicting the expected behavior of the email client's security settings (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been patched in version 119.10 of the Tuta email service. Users should update to this version or later to protect against this security issue (GitHub Advisory).

Additional resources

Source: This report was generated using AI

Related Homebrew vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-22861	HIGH	8.8	Homebrew	iccdev	No	Yes	Jan 13, 2026
CVE-2026-22776	HIGH	8.7	Homebrew	cpp-httplib	No	Yes	Jan 12, 2026
CVE-2026-22783	HIGH	8.1	NixOS	iris	No	Yes	Jan 12, 2026
CVE-2026-21283	HIGH	7.8	Adobe Bridge	bridge	No	Yes	Jan 13, 2026
CVE-2026-22784	LOW	2.3	NixOS	lychee	No	Yes	Jan 12, 2026