Vulnerabilities (CVE)

Filtered by vendor Nextcloud Subscribe
Filtered by product Mail
Total 12 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-8156 2 Fedoraproject, Nextcloud 2 Fedora, Mail 2024-11-20 6.8 MEDIUM 7.0 HIGH
A missing verification of the TLS host in Nextcloud Mail 1.1.3 allowed a man in the middle attack.
CVE-2021-32652 1 Nextcloud 1 Mail 2024-11-20 4.0 MEDIUM 4.3 MEDIUM
Nextcloud Mail is a mail app for the Nextcloud platform. A missing permission check in Nextcloud Mail before 1.4.3 and 1.8.2 allows another authenticated users to access mail metadata of other users. Versions 1.4.3 and 1.8.2 contain patches for this vulnerability; no workarounds other than the patches are known to exist.
CVE-2021-32707 1 Nextcloud 1 Mail 2024-11-20 4.0 MEDIUM 4.3 MEDIUM
Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a `background-image` CSS attribute. Note that the images were still passed through the Nextcloud image proxy, and thus there was no IP leakage. The issue was patched in version 1.9.6 and 1.10.0. No workarounds are known to exist.
CVE-2023-33184 1 Nextcloud 1 Mail 2024-11-20 N/A 5.3 MEDIUM
Nextcloud Mail is a mail app in Nextcloud. A blind SSRF attack allowed to send GET requests to services running in the same web server. It is recommended that the Mail app is update to version 3.02, 2.2.5 or 1.15.3.
CVE-2023-48307 1 Nextcloud 1 Mail 2024-02-28 N/A 9.8 CRITICAL
Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Starting in version 1.13.0 and prior to version 2.2.8 and 3.3.0, an attacker can use an unprotected endpoint in the Mail app to perform a SSRF attack. Nextcloud Mail app versions 2.2.8 and 3.3.0 contain a patch for this issue. As a workaround, disable the mail app.
CVE-2023-45660 1 Nextcloud 1 Mail 2024-02-28 N/A 4.3 MEDIUM
Nextcloud mail is an email app for the Nextcloud home server platform. In affected versions a missing check of origin, target and cookies allows for an attacker to abuse the proxy endpoint to denial of service a third server. It is recommended that the Nextcloud Mail is upgraded to 2.2.8 or 3.3.0. There are no known workarounds for this vulnerability.
CVE-2023-25160 1 Nextcloud 1 Mail 2024-02-28 N/A 5.3 MEDIUM
Nextcloud Mail is an email app for the Nextcloud home server platform. Prior to versions 2.2.1, 1.14.5, 1.12.9, and 1.11.8, an attacker can access the mail box by ID getting the subjects and the first characters of the emails. Users should upgrade to Mail 2.2.1 for Nextcloud 25, Mail 1.14.5 for Nextcloud 22-24, Mail 1.12.9 for Nextcloud 21, or Mail 1.11.8 for Nextcloud 20 to receive a patch. No known workarounds are available.
CVE-2023-23943 1 Nextcloud 1 Mail 2024-02-28 N/A 4.3 MEDIUM
Nextcloud mail is an email app for the nextcloud home server platform. In affected versions the SMTP, IMAP and Sieve host fields allowed to scan for internal services and servers reachable from within the local network of the Nextcloud Server. It is recommended that the Nextcloud Maill app is upgraded to 1.15.0 or 2.2.2. The only known workaround for this issue is to completely disable the nextcloud mail app.
CVE-2023-23944 1 Nextcloud 1 Mail 2024-02-28 N/A 6.5 MEDIUM
Nextcloud mail is an email app for the nextcloud home server platform. In versions prior to 2.2.2 user's passwords were stored in cleartext in the database during the duration of OAuth2 setup procedure. Any attacker or malicious user with access to the database would have access to these user passwords until the OAuth setup has been completed. It is recommended that the Nextcloud Mail app is upgraded to 2.2.2. There are no known workarounds for this issue.
CVE-2022-31132 1 Nextcloud 1 Mail 2024-02-28 N/A 9.8 CRITICAL
Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions shipped with a CSS minifier on the path `./vendor/cerdic/css-tidy/css_optimiser.php`. Access to the minifier is unrestricted and access may lead to Server-Side Request Forgery (SSRF). It is recommendet to upgrade to Mail 1.12.7 or Mail 1.13.6. Users unable to upgrade may manually delete the file located at `./vendor/cerdic/css-tidy/css_optimiser.php`
CVE-2022-31119 1 Nextcloud 1 Mail 2024-02-28 N/A 4.9 MEDIUM
Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions of Nextcloud mail would log user passwords to disk in the event of a misconfiguration. Should an attacker gain access to the logs complete access to affected accounts would be obtainable. It is recommended that the Nextcloud Mail is upgraded to 1.12.1. Operators should inspect their logs and remove passwords which have been logged. There are no workarounds to prevent logging in the event of a misconfiguration.
CVE-2021-39220 1 Nextcloud 1 Mail 2024-02-28 3.5 LOW 3.5 LOW
Nextcloud is an open-source, self-hosted productivity platform The Nextcloud Mail application prior to versions 1.10.4 and 1.11.0 does by default not render images in emails to not leak the read state or user IP. The privacy filter failed to filter images with a relative protocol. It is recommended that the Nextcloud Mail application is upgraded to 1.10.4 or 1.11.0. There are no known workarounds aside from upgrading.