← back
CVE-2021-39220

Bypass of image blocking in Nextcloud Mail

CVSS 3.5 LOWEPSS 0.8%CWE-20CWE-200
Vexday Risk Score
8Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 3.5EPSS 0.8%KEV nãoPoC Patch
Lifecycle
25 Oct 2021Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Nextcloud is an open-source, self-hosted productivity platform The Nextcloud Mail application prior to versions 1.10.4 and 1.11.0 does by default not render images in emails to not leak the read state or user IP. The privacy filter failed to filter images with a relative protocol. It is recommended that the Nextcloud Mail application is upgraded to 1.10.4 or 1.11.0. There are no known workarounds aside from upgrading.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Affected products
nextcloud · security-advisories

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/nextcloud/mail/pull/5470https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6q9v-wm8r-rcv5https://hackerone.com/reports/1308147