Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-31132

Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions shipped with a CSS minifier on the path `./vendor/cerdic/css-tidy/css_optimiser.php`. Access to the minifier is unrestricted and access may lead to Server-Side Request Forgery (SSRF). It is recommendet to upgrade to Mail 1.12.7 or Mail 1.13.6. Users unable to upgrade may manually delete the file located at `./vendor/cerdic/css-tidy/css_optimiser.php`

Published

2022-08-04T17:15:08.597

Last Modified

2024-11-21T07:03:57.897

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.3 (HIGH)

Weaknesses

Type: Primary
CWE-918

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	mail	< 1.12.8	Yes
Application	nextcloud	mail	< 1.13.6	Yes

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-24pm-rjfv-23mh Third Party Advisory ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-24pm-rjfv-23mh Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)