A vulnerability classified as critical was found in Nextcloud Mail up to 2.2.7/3.2.x (Cloud Software). This vulnerability affects an unknown part of the component Proxy Endpoint. The manipulation with an unknown input leads to a server-side request forgery vulnerability. The CWE definition for the vulnerability is CWE-918. The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. As an impact it is known to affect availability. CVE summarizes:

Nextcloud mail is an email app for the Nextcloud home server platform. In affected versions a missing check of origin, target and cookies allows for an attacker to abuse the proxy endpoint to denial of service a third server. It is recommended that the Nextcloud Mail is upgraded to 2.2.8 or 3.3.0. There are no known workarounds for this vulnerability.

The weakness was presented 10/16/2023 as GHSA-8j9x-fmww-qr37. The advisory is shared for download at github.com. This vulnerability was named CVE-2023-45660 since 10/10/2023. There are neither technical details nor an exploit publicly available.

Upgrading to version 2.2.8 or 3.3.0 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

See VDB-78986 for similar entry.

Productinfo

Type

• Cloud Software

Vendor

• Nextcloud

Name

• Mail

Version

• 2.2.0
• 2.2.1
• 2.2.2
• 2.2.3
• 2.2.4
• 2.2.5
• 2.2.6
• 2.2.7
• 3.0
• 3.1
• 3.2

License

• open-source

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion