Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-32707

Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a `background-image` CSS attribute. Note that the images were still passed through the Nextcloud image proxy, and thus there was no IP leakage. The issue was patched in version 1.9.6 and 1.10.0. No workarounds are known to exist.

Published

2021-07-12T19:15:10.227

Last Modified

2024-11-21T06:07:34.327

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-20
CWE-200
Type: Primary
NVD-CWE-Other

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	mail	< 1.9.6	Yes

References

https://github.com/nextcloud/mail/pull/5189 Patch, Third Party Advisory ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xxp4-44xc-8crh Third Party Advisory ([email protected])
https://hackerone.com/reports/1215251 Exploit, Third Party Advisory ([email protected])
https://github.com/nextcloud/mail/pull/5189 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xxp4-44xc-8crh Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1215251 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)