Unpatched RainLoop Webmail allows attackers to steal emails from the inboxes of victims. The vulnerability is a Stored Cross Site-Scripting, or XSS, vulnerability tracked as CVE-2022-29360. An attacker who knows the email address of an employee of a targeted organization can send the victim a maliciously crafted email, it executes a hidden JavaScript payload in the browser of the victim. No official patch is available, and the vulnerability can be exploited in any RainLoop installation.”]
Source: https://www.cuinfosecurity.com/unpatched-rainloop-webmail-enables-theft-emails-a-18948