Blind SSRF via server URL input in the Nextcloud Mail app
Low
nickvergessen
published
GHSA-8gcx-r739-9pf6Feb 6, 2023
Package
Mail
(Nextcloud)
Affected versions
< 1.15.0, < 2.2.2
Patched versions
1.15.0, 2.2.2
Description
Impact
The SMTP, IMAP and Sieve host fields allowed to scan for internal services and servers reachable from within the local network of the Nextcloud Server.
Patches
It is recommended that the Nextcloud Maill app is upgraded to 1.15.0 or 2.2.2
Impact
The SMTP, IMAP and Sieve host fields allowed to scan for internal services and servers reachable from within the local network of the Nextcloud Server.
Patches
It is recommended that the Nextcloud Maill app is upgraded to 1.15.0 or 2.2.2
Workarounds
References
For more information
If you have any questions or comments about this advisory: