A group member may not be an employee of the company hosting the group, but may be an authorized contractor or supplier with access to the group. In such cases, a malicious third party may be able to obtain a user's primary email address by sending a group member an email. An attacker may leverage this email to impersonate the user to other groups or to send out malicious emails. This issue has been classified as Critical due to the potential impact it may have on businesses and the ease with which it can be exploited. This issue was discovered during internal testing. As soon we are made aware of a new release version, we will update our gates.

Key Takeaways From This Section

A group leader may not be an employee of the company hosting the group, but may be an authorized contractor or supplier with access to the group. A malicious third party may be able to obtain a user's primary email address by sending a member of a group an email. An attacker may leverage this email to impersonate the user to other groups or to send out malicious emails. This issue has been classified as Critical due to the potential impact it may have on businesses and the ease with which it can be exploited.

References

- CVE-2022-3351

The issue was discovered during internal testing. As soon as we are made aware of a new release version, we will update our gates.

Vulnerability Description

A malicious third party may be able to obtain a user's primary email address by sending a group member an email. An attacker may leverage this email to impersonate the user to other groups or to send out malicious emails. This issue has been classified as Critical due to the potential impact it may have on businesses and the ease with which it can be exploited.

Timeline

Published on: 10/17/2022 16:15:00 UTC
Last modified on: 10/20/2022 14:28:00 UTC

References