CVE Vulnerability

CVE-2021-32707

Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a `background-image` CSS attribute. Note that the images were still passed through the Nextcloud image proxy, and thus there was no IP leakage. The issue was patched in version 1.9.6 and 1.10.0. No workarounds are known to exist.

4 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Scope

4.3 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://hackerone.com/reports/1215251 Exploit Third Party Advisory
https://github.com/nextcloud/mail/pull/5189 Patch Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xxp4-44xc-8crh Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:nextcloud:nextcloud_mail:*:*:*:*:*:*:*:*
Information

Published : 2021-07-12 07:15

Updated : 2022-10-25 03:41

NVD link : CVE-2021-32707

Mitre link : CVE-2021-32707

Products Affected
No products.
CWE
NVD-CWE-Other