Mail Nextcloud Mail

Do you want an email whenever new security vulnerabilities are reported in Nextcloud Mail?

By the Year

In 2024 there have been 0 vulnerabilities in Nextcloud Mail . Last year Mail had 5 security vulnerabilities published. Right now, Mail is on track to have less security vulnerabilities in 2024 than it did last year.

Year Vulnerabilities Average Score
2024 0 0.00
2023 5 6.04
2022 2 7.35
2021 1 3.50
2020 0 0.00
2019 0 0.00
2018 0 0.00

It may take a day or so for new Mail vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Nextcloud Mail Security Vulnerabilities

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform

CVE-2023-48307 9.8 - Critical - November 21, 2023

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Starting in version 1.13.0 and prior to version 2.2.8 and 3.3.0, an attacker can use an unprotected endpoint in the Mail app to perform a SSRF attack. Nextcloud Mail app versions 2.2.8 and 3.3.0 contain a patch for this issue. As a workaround, disable the mail app.

Nextcloud mail is an email app for the Nextcloud home server platform

CVE-2023-45660 4.3 - Medium - October 16, 2023

Nextcloud mail is an email app for the Nextcloud home server platform. In affected versions a missing check of origin, target and cookies allows for an attacker to abuse the proxy endpoint to denial of service a third server. It is recommended that the Nextcloud Mail is upgraded to 2.2.8 or 3.3.0. There are no known workarounds for this vulnerability.

XSPA

Nextcloud Mail is an email app for the Nextcloud home server platform

CVE-2023-25160 5.3 - Medium - February 13, 2023

Nextcloud Mail is an email app for the Nextcloud home server platform. Prior to versions 2.2.1, 1.14.5, 1.12.9, and 1.11.8, an attacker can access the mail box by ID getting the subjects and the first characters of the emails. Users should upgrade to Mail 2.2.1 for Nextcloud 25, Mail 1.14.5 for Nextcloud 22-24, Mail 1.12.9 for Nextcloud 21, or Mail 1.11.8 for Nextcloud 20 to receive a patch. No known workarounds are available.

Insecure Direct Object Reference / IDOR

Nextcloud mail is an email app for the nextcloud home server platform

CVE-2023-23943 4.3 - Medium - February 06, 2023

Nextcloud mail is an email app for the nextcloud home server platform. In affected versions the SMTP, IMAP and Sieve host fields allowed to scan for internal services and servers reachable from within the local network of the Nextcloud Server. It is recommended that the Nextcloud Maill app is upgraded to 1.15.0 or 2.2.2. The only known workaround for this issue is to completely disable the nextcloud mail app.

XSPA

Nextcloud mail is an email app for the nextcloud home server platform

CVE-2023-23944 6.5 - Medium - February 06, 2023

Nextcloud mail is an email app for the nextcloud home server platform. In versions prior to 2.2.2 user's passwords were stored in cleartext in the database during the duration of OAuth2 setup procedure. Any attacker or malicious user with access to the database would have access to these user passwords until the OAuth setup has been completed. It is recommended that the Nextcloud Mail app is upgraded to 2.2.2. There are no known workarounds for this issue.

Cleartext Storage of Sensitive Information

Nextcloud Mail is an email application for the nextcloud personal cloud product

CVE-2022-31119 4.9 - Medium - August 04, 2022

Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions of Nextcloud mail would log user passwords to disk in the event of a misconfiguration. Should an attacker gain access to the logs complete access to affected accounts would be obtainable. It is recommended that the Nextcloud Mail is upgraded to 1.12.1. Operators should inspect their logs and remove passwords which have been logged. There are no workarounds to prevent logging in the event of a misconfiguration.

Insertion of Sensitive Information into Log File

Nextcloud Mail is an email application for the nextcloud personal cloud product

CVE-2022-31132 9.8 - Critical - August 04, 2022

Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions shipped with a CSS minifier on the path `./vendor/cerdic/css-tidy/css_optimiser.php`. Access to the minifier is unrestricted and access may lead to Server-Side Request Forgery (SSRF). It is recommendet to upgrade to Mail 1.12.7 or Mail 1.13.6. Users unable to upgrade may manually delete the file located at `./vendor/cerdic/css-tidy/css_optimiser.php`

XSPA

Nextcloud is an open-source

CVE-2021-39220 3.5 - Low - October 25, 2021

Nextcloud is an open-source, self-hosted productivity platform The Nextcloud Mail application prior to versions 1.10.4 and 1.11.0 does by default not render images in emails to not leak the read state or user IP. The privacy filter failed to filter images with a relative protocol. It is recommended that the Nextcloud Mail application is upgraded to 1.10.4 or 1.11.0. There are no known workarounds aside from upgrading.

Improper Input Validation

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Nextcloud Mail or by Nextcloud? Click the Watch button to subscribe.

Nextcloud
Vendor

subscribe