8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
63.4%
When downloading mail attachments, the app fails to properly escape quotes in the content disposition header. Because of this, an attacker can send a victim a file with a benign extension such as .txt
or .png
which when downloaded will be stored with a malicious extension such as .bat
or .docm
.
This vulnerability can for example be exploited in the following scenarios:
test.bat".png
..png
file, it will be downloaded as test.bat
instead.Tested with Firefox under Windows.
As alternative to .bat
files (which may be prevented from executing by Microsoft Defender SmartScreen), an attacker can also send other malicious files such as for example .vbs
files, as well as .docm
files containing macro viruses.
GET /nextcloud/index.php/apps/mail/api/messages/26/attachment/2 HTTP/1.1
Host: 192.168.0.101
HTTP/1.1 200 OK
[...]
Content-Disposition: attachment; filename="test.bat".png"
[...]
Content-Type: application/octet-stream
C:\Windows\system32\calc.exe
Quotes should be properly escaped before being inserted into the Content-Disposition header.
Offering malicious files for download, leading to code execution on the computer of the victim if they download and open the file.
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
63.4%