Skip to content

IDOR Vulnerability in Nextcloud Mail

Moderate
miaulalala published GHSA-m45f-r5gh-h6cx Feb 13, 2023

Package

Mail (Nextcloud)

Affected versions

<2.2.1, < 1.14.5, <1.12.9, <1.11.8

Patched versions

2.2.1, 1.14.5, 1.12.9, 1.11.8

Description

Impact

An attacker can access the mail box by ID getting the subjects and the first characters of the emails.

Patches

Users should update to

Mail 2.2.1 for Nextcloud 25
Mail 1.14.5 for Nextcloud 22-24
Mail 1.12.9 for Nextcloud 21
Mail 1.11.8 for Nextcloud 20

Workarounds

No workaround available

References

HackerOne
Pull Request

For more information

If you have any questions or comments about this advisory:

Severity

Moderate
4.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

CVE ID

CVE-2023-25160

Weaknesses

Credits