Shushangw

Name of the Vulnerable Software and Affected Versions: Nextcloud Mail versions prior to 1.14.6 Nextcloud Mail versions prior to 1.15.4 Nextcloud Mail versions prior to 2.2.11 Nextcloud Mail versions prior to 3.6.3 Nextcloud Mail versions prior to 3.7.7 Nextcloud Mail versions prior to 4.0.0 Description: The issue is related to incorrect automatic configuration in the Nextcloud mail client. An attacker, acting remotely, could exploit this to disclose protected information. This can happen when a user tries to set up a mail account with an email address that does not support auto-configuration, and an attacker has registered a domain that could intercept the email details. Recommendations: For versions prior to 1.14.6, upgrade to 1.14.6 or later. For versions prior to 1.15.4, upgrade to 1.15.4 or later. For versions prior to 2.2.11, upgrade to 2.2.11 or later. For versions prior to 3.6.3, upgrade to 3.6.3 or later. For versions prior to 3.7.7, upgrade to 3.7.7 or later. For versions prior to 4.0.0, upgrade to 4.0.0 or later.

Name of the Vulnerable Software and Affected Versions: KDE Kmail versions prior to 6.2.0 Description: The issue allows man-in-the-middle attackers to trigger the use of an attacker-controlled mail server. This is because cleartext HTTP is used for retrieving configuration from URLs such as 'http://autoconfig.example.com' or 'http://example.com/.well-known/autoconfig'. The problem is related to the kmail-account-wizard component. Recommendations: For versions prior to 6.2.0, update to version 6.2.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of cleartext HTTP for autoconfig URLs until a patch is applied.