CVE-2021-39220 is a vulnerability in Nextcloud Mail
Published on October 25, 2021
Bypass of image blocking in Nextcloud Mail
Nextcloud is an open-source, self-hosted productivity platform The Nextcloud Mail application prior to versions 1.10.4 and 1.11.0 does by default not render images in emails to not leak the read state or user IP. The privacy filter failed to filter images with a relative protocol. It is recommended that the Nextcloud Mail application is upgraded to 1.10.4 or 1.11.0. There are no known workarounds aside from upgrading.
Vulnerability Analysis
CVE-2021-39220 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Types
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2021-39220 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2021-39220
Want to know whenever a new CVE is published for Nextcloud Mail? stack.watch will email you.
Affected Versions
nextcloud security-advisories Version < 1.10.4, < 1.11.0 is affected by CVE-2021-39220Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.