CVE-2021-39220

Nextcloud is an open-source, self-hosted productivity platform The Nextcloud Mail application prior to versions 1.10.4 and 1.11.0 does by default not render images in emails to not leak the read state or user IP. The privacy filter failed to filter images with a relative protocol. It is recommended that the Nextcloud Mail application is upgraded to 1.10.4 or 1.11.0. There are no known workarounds aside from upgrading.
Configurations

Configuration 1 (hide)

cpe:2.3:a:nextcloud:mail:*:*:*:*:*:*:*:*

History

05 Aug 2022, 11:05

Type Values Removed Values Added
CWE CWE-200

27 Oct 2021, 15:07

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 3.5
v2 : 3.5
v3 : 3.5
CPE cpe:2.3:a:nextcloud:mail:*:*:*:*:*:*:*:*
References (MISC) https://hackerone.com/reports/1308147 - (MISC) https://hackerone.com/reports/1308147 - Permissions Required
References (CONFIRM) https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6q9v-wm8r-rcv5 - (CONFIRM) https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6q9v-wm8r-rcv5 - Third Party Advisory
References (MISC) https://github.com/nextcloud/mail/pull/5470 - (MISC) https://github.com/nextcloud/mail/pull/5470 - Patch, Third Party Advisory

25 Oct 2021, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2021-10-25 19:15

Updated : 2024-02-04 22:08


NVD link : CVE-2021-39220

Mitre link : CVE-2021-39220

CVE.ORG link : CVE-2021-39220


JSON object : View

Products Affected

nextcloud

  • mail
CWE
CWE-20

Improper Input Validation

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor