Description

Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a `background-image` CSS attribute. Note that the images were still passed through the Nextcloud image proxy, and thus there was no IP leakage. The issue was patched in version 1.9.6 and 1.10.0. No workarounds are known to exist.

Related CPE's

a

nextcloud

mail

Vulnerable

References

https://github.com/nextcloud/mail/pull/5189

PatchThird Party Advisory

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xxp4-44xc-8crh

Third Party Advisory

https://hackerone.com/reports/1215251

ExploitThird Party Advisory

https://github.com/nextcloud/mail/pull/5189

PatchThird Party Advisory

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xxp4-44xc-8crh

Third Party Advisory

https://hackerone.com/reports/1215251

ExploitThird Party Advisory

Weaknesses

[email protected]

Secondary
CWE-20CWE-200

[email protected]

Primary
NVD-CWE-Other

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.3 · Medium

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2021-07-12T17:15:10.227Z

4 years ago

Last modified

2024-11-21T05:07:34.327Z

1 year ago