Unauthenticated SSRF in 3rd party module "cerdic/csstidy"

Description

Impact

This vulnerability can be exploited by an unauthenticated attacker and opens the possibility of not only attacking other local services, but also the router of the home network. The ability to receive and write CSS files can be used by the attacker to find out what other services are running on devices in the network or what kind of router is used etc. before running additional attacks.

Patches

It is recommendet to upgrade to Mail 1.12.7 or Mail 1.13.6

Workarounds

Users can manually delete the file located at ./vendor/cerdic/css-tidy/css_optimiser.php

References

• Pull request
• HackerOne

For more information

If you have any questions or comments about this advisory:

• Create a post in nextcloud/security-advisories
• Customers: Open a support ticket at support.nextcloud.com