PT-2023-30769 · Nextcloud · Nextcloud Mail
Arianitisufi
+2
·
Published
2023-11-21
·
Updated
2023-11-30
·
CVE-2023-48307
CVSS v3.1
3.5
Low
| Vector | AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
Nextcloud Mail versions 1.13.0 through 2.2.7
Nextcloud Mail versions 2.2.8 is not affected, but versions prior to 3.3.0 are affected, so the correct range is:
Nextcloud Mail versions 1.13.0 through 3.2.x
Description
Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. An attacker can use an unprotected endpoint in the Mail app to perform a Server-Side Request Forgery (SSRF) attack.
Recommendations
For Nextcloud Mail versions 1.13.0 through 2.2.7, update to version 2.2.8 or later.
For Nextcloud Mail versions prior to 3.3.0, update to version 3.3.0.
As a temporary workaround for all affected versions, consider disabling the mail app.
Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nextcloud Mail