CVE-2021-32707
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a background-image CSS attribute. Note that the images were still passed through the Nextcloud image proxy, and thus there was no IP leakage. The issue was patched in version 1.9.6 and 1.10.0. No workarounds are known to exist.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| nextcloud | security-advisories | < 1.9.6 | affected |
Weaknesses
- CWE-20: CWE-20: Improper Input Validation
- CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xxp4-44xc-8crh
- https://github.com/nextcloud/mail/pull/5189
- https://hackerone.com/reports/1215251
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xxp4-44xc-8crh
- https://github.com/nextcloud/mail/pull/5189
- https://hackerone.com/reports/1215251
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.