CVE-2023-33184
3.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Summary
Nextcloud Mail is a mail app in Nextcloud. A blind SSRF attack allowed to send GET requests to services running in the same web server. It is recommended that the Mail app is update to version 3.02, 2.2.5 or 1.15.3.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| nextcloud | security-advisories | < 1.15.3 | affected |
| nextcloud | security-advisories | < 2.2.5 | affected |
| nextcloud | security-advisories | < 3.02 | affected |
Weaknesses
- CWE-918: CWE-918: Server-Side Request Forgery (SSRF)
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8gph-9895-w564
- https://github.com/nextcloud/mail/pull/8275
- https://hackerone.com/reports/1913095
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8gph-9895-w564
- https://github.com/nextcloud/mail/pull/8275
- https://hackerone.com/reports/1913095
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.