Description

Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a `background-image` CSS attribute. Note that the images were still passed through the Nextcloud image proxy, and thus there was no IP leakage. The issue was patched in version 1.9.6 and 1.10.0. No workarounds are known to exist.

Related CPE's

a

nextcloud

nextcloud_mail

Vulnerable

References

https://github.com/nextcloud/mail/pull/5189

PatchThird Party Advisory

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xxp4-44xc-8crh

Third Party Advisory

https://hackerone.com/reports/1215251

ExploitThird Party Advisory

Weaknesses

[email protected]

Primary
NVD-CWE-Other

[email protected]

Secondary
CWE-20CWE-200

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

4.3 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2021-07-12T19:15:10.227

3 years ago

Last modified

2022-10-25T15:41:29.900

2 years ago