Skip to content

Bypass of image blocking in Nextcloud Mail

Low
LukasReschke published GHSA-6q9v-wm8r-rcv5 Oct 25, 2021

Package

Mail (Nextcloud)

Affected versions

< 1.10.4

Patched versions

1.10.4

Description

Impact

The Nextcloud Mail application does by default not render images in emails to not leak the read state or user IP. The privacy filter failed to filter images with a relative protocol.

Patches

It is recommended that the Nextcloud Mail application is upgraded to 1.10.4.

Workarounds

None.

References

For more information

If you have any questions or comments about this advisory:

Severity

Low

CVE ID

CVE-2021-39220

Weaknesses

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Learn more on MITRE.

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Learn more on MITRE.

Credits