Nextcloud Mail
By the Year
In 2023 there have been 5 vulnerabilities in Nextcloud Mail with an average score of 6.0 out of ten. Last year Mail had 2 security vulnerabilities published. That is, 3 more vulnerabilities have already been reported in 2023 as compared to last year. Last year, the average CVE base score was greater by 1.31
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2023 | 5 | 6.04 |
| 2022 | 2 | 7.35 |
| 2021 | 1 | 3.50 |
| 2020 | 0 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Mail vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Nextcloud Mail Security Vulnerabilities
Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform
CVE-2023-48307
9.8 - Critical
- November 21, 2023
Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Starting in version 1.13.0 and prior to version 2.2.8 and 3.3.0, an attacker can use an unprotected endpoint in the Mail app to perform a SSRF attack. Nextcloud Mail app versions 2.2.8 and 3.3.0 contain a patch for this issue. As a workaround, disable the mail app.
Nextcloud mail is an email app for the Nextcloud home server platform
CVE-2023-45660
4.3 - Medium
- October 16, 2023
Nextcloud mail is an email app for the Nextcloud home server platform. In affected versions a missing check of origin, target and cookies allows for an attacker to abuse the proxy endpoint to denial of service a third server. It is recommended that the Nextcloud Mail is upgraded to 2.2.8 or 3.3.0. There are no known workarounds for this vulnerability.
XSPA
Nextcloud Mail is an email app for the Nextcloud home server platform
CVE-2023-25160
5.3 - Medium
- February 13, 2023
Nextcloud Mail is an email app for the Nextcloud home server platform. Prior to versions 2.2.1, 1.14.5, 1.12.9, and 1.11.8, an attacker can access the mail box by ID getting the subjects and the first characters of the emails. Users should upgrade to Mail 2.2.1 for Nextcloud 25, Mail 1.14.5 for Nextcloud 22-24, Mail 1.12.9 for Nextcloud 21, or Mail 1.11.8 for Nextcloud 20 to receive a patch. No known workarounds are available.
Insecure Direct Object Reference / IDOR
Nextcloud mail is an email app for the nextcloud home server platform
CVE-2023-23943
4.3 - Medium
- February 06, 2023
Nextcloud mail is an email app for the nextcloud home server platform. In affected versions the SMTP, IMAP and Sieve host fields allowed to scan for internal services and servers reachable from within the local network of the Nextcloud Server. It is recommended that the Nextcloud Maill app is upgraded to 1.15.0 or 2.2.2. The only known workaround for this issue is to completely disable the nextcloud mail app.
XSPA
Nextcloud mail is an email app for the nextcloud home server platform
CVE-2023-23944
6.5 - Medium
- February 06, 2023
Nextcloud mail is an email app for the nextcloud home server platform. In versions prior to 2.2.2 user's passwords were stored in cleartext in the database during the duration of OAuth2 setup procedure. Any attacker or malicious user with access to the database would have access to these user passwords until the OAuth setup has been completed. It is recommended that the Nextcloud Mail app is upgraded to 2.2.2. There are no known workarounds for this issue.
Cleartext Storage of Sensitive Information
Nextcloud Mail is an email application for the nextcloud personal cloud product
CVE-2022-31119
4.9 - Medium
- August 04, 2022
Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions of Nextcloud mail would log user passwords to disk in the event of a misconfiguration. Should an attacker gain access to the logs complete access to affected accounts would be obtainable. It is recommended that the Nextcloud Mail is upgraded to 1.12.1. Operators should inspect their logs and remove passwords which have been logged. There are no workarounds to prevent logging in the event of a misconfiguration.
Insertion of Sensitive Information into Log File
Nextcloud Mail is an email application for the nextcloud personal cloud product
CVE-2022-31132
9.8 - Critical
- August 04, 2022
Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions shipped with a CSS minifier on the path `./vendor/cerdic/css-tidy/css_optimiser.php`. Access to the minifier is unrestricted and access may lead to Server-Side Request Forgery (SSRF). It is recommendet to upgrade to Mail 1.12.7 or Mail 1.13.6. Users unable to upgrade may manually delete the file located at `./vendor/cerdic/css-tidy/css_optimiser.php`
XSPA
Nextcloud is an open-source
CVE-2021-39220
3.5 - Low
- October 25, 2021
Nextcloud is an open-source, self-hosted productivity platform The Nextcloud Mail application prior to versions 1.10.4 and 1.11.0 does by default not render images in emails to not leak the read state or user IP. The privacy filter failed to filter images with a relative protocol. It is recommended that the Nextcloud Mail application is upgraded to 1.10.4 or 1.11.0. There are no known workarounds aside from upgrading.
Improper Input Validation
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Nextcloud Mail or by Nextcloud? Click the Watch button to subscribe.
