Lucene search

GitHub_MCVELIST:CVE-2021-39220

HistoryOct 25, 2021 - 6:55 p.m.

CVE-2021-39220 Bypass of image blocking in Nextcloud Mail

2021-10-2518:55:14

CWE-20

CWE-200

GitHub_M

www.cve.org

cve-2021-39220

nextcloud mail

image blocking

privacy filter failed

CVSS3

3.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

AI Score

4.2

Confidence

High

EPSS

0.001

Percentile

24.8%

JSON

Nextcloud is an open-source, self-hosted productivity platform The Nextcloud Mail application prior to versions 1.10.4 and 1.11.0 does by default not render images in emails to not leak the read state or user IP. The privacy filter failed to filter images with a relative protocol. It is recommended that the Nextcloud Mail application is upgraded to 1.10.4 or 1.11.0. There are no known workarounds aside from upgrading.

CNA Affected

[
  {
    "product": "security-advisories",
    "vendor": "nextcloud",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.10.4, < 1.11.0"
      }
    ]
  }
]

References

github.com/nextcloud/mail/pull/5470

github.com/nextcloud/security-advisories/security/advisories/GHSA-6q9v-wm8r-rcv5

hackerone.com/reports/1308147

CVSS3

3.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

AI Score

4.2

Confidence

High

EPSS

0.001

Percentile

24.8%

JSON

Related for CVELIST:CVE-2021-39220