CVE Vulnerability

CVE-2023-25160

Nextcloud Mail is an email app for the Nextcloud home server platform. Prior to versions 2.2.1, 1.14.5, 1.12.9, and 1.11.8, an attacker can access the mail box by ID getting the subjects and the first characters of the emails. Users should upgrade to Mail 2.2.1 for Nextcloud 25, Mail 1.14.5 for Nextcloud 22-24, Mail 1.12.9 for Nextcloud 21, or Mail 1.11.8 for Nextcloud 20 to receive a patch. No known workarounds are available.

5.3 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://hackerone.com/reports/1784681 Permissions Required Third Party Advisory
https://github.com/nextcloud/mail/pull/7740 Patch
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m45f-r5gh-h6cx Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:nextcloud:mail:*:*:*:*:*:*:*:*
cpe:2.3:a:nextcloud:mail:*:*:*:*:*:*:*:*
cpe:2.3:a:nextcloud:mail:*:*:*:*:*:*:*:*
cpe:2.3:a:nextcloud:mail:*:*:*:*:*:*:*:*
Information

Published : 2023-02-13 09:15

Updated : 2023-02-22 09:26

NVD link : CVE-2023-25160

Mitre link : CVE-2023-25160

Products Affected
No products.
CWE
No CWE.