Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-39220

Nextcloud is an open-source, self-hosted productivity platform The Nextcloud Mail application prior to versions 1.10.4 and 1.11.0 does by default not render images in emails to not leak the read state or user IP. The privacy filter failed to filter images with a relative protocol. It is recommended that the Nextcloud Mail application is upgraded to 1.10.4 or 1.11.0. There are no known workarounds aside from upgrading.

Published

2021-10-25T19:15:09.577

Last Modified

2024-11-21T06:18:56.227

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 3.5 (LOW)

CVSSv2 Vector

AV:N/AC:M/Au:S/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

6.8

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-20
CWE-200
Type: Primary
CWE-20

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	mail	< 1.10.4	Yes

References

https://github.com/nextcloud/mail/pull/5470 Patch, Third Party Advisory ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6q9v-wm8r-rcv5 Third Party Advisory ([email protected])
https://hackerone.com/reports/1308147 Permissions Required ([email protected])
https://github.com/nextcloud/mail/pull/5470 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6q9v-wm8r-rcv5 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1308147 Permissions Required (af854a3a-2127-422b-91ae-364da2661108)