Google AOSP email application versions up to 7.0 suffer from an html injection vulnerability.
997b4ab75d2a1bd77ad1ed1e393d5be70361f9a6bcb2b694bbf2ee14017f4233
Good for Enterprise Android suffers from a html injection vulnerability. A remote attacker is able to send a crafted email with a payload that redirects the user to a target url as soon as he opens the email.
3cedb9d08e08030894233fae2c3c67c075f1d6bba394e2a490ea5814d8b65ad9