Vulnerability CVE-2021-32707


Published: 2021-07-12

Description:
Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a `background-image` CSS attribute. Note that the images were still passed through the Nextcloud image proxy, and thus there was no IP leakage. The issue was patched in version 1.9.6 and 1.10.0. No workarounds are known to exist.

Type:

CWE-200

(Information Exposure)

CVSS2 => (AV:N/AC:L/Au:S/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4/10
2.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None
Affected software
Nextcloud -> Nextcloud mail 

 References:
https://hackerone.com/reports/1215251
https://github.com/nextcloud/mail/pull/5189
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xxp4-44xc-8crh

Copyright 2024, cxsecurity.com

 

Back to Top