PT-2022-20552 · Nextcloud · Nextcloud Mail
Nickvergessen
·
Published
2022-08-04
·
Updated
2022-08-10
·
CVE-2022-31132
CVSS v3.1
8.3
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Nextcloud Mail versions prior to 1.12.7
Nextcloud Mail versions prior to 1.13.6
Description
Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions shipped with a CSS minifier on the path ./vendor/cerdic/css-tidy/css optimiser.php. Access to the minifier is unrestricted and access may lead to Server-Side Request Forgery (SSRF).
Recommendations
For versions prior to 1.12.7, upgrade to Mail 1.12.7.
For versions prior to 1.13.6, upgrade to Mail 1.13.6.
As a temporary workaround for users unable to upgrade, manually delete the file located at ./vendor/cerdic/css-tidy/css optimiser.php.
Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nextcloud Mail