Nextcloud Mail before 2.2.1 / 1.14.5 / 1.12.9 / 1.11.8 Email Subject Disclosure
CVE-2023-25160 Published on February 13, 2023
IDOR Vulnerability in Nextcloud Mail
Nextcloud Mail is an email app for the Nextcloud home server platform. Prior to versions 2.2.1, 1.14.5, 1.12.9, and 1.11.8, an attacker can access the mail box by ID getting the subjects and the first characters of the emails. Users should upgrade to Mail 2.2.1 for Nextcloud 25, Mail 1.14.5 for Nextcloud 22-24, Mail 1.12.9 for Nextcloud 21, or Mail 1.11.8 for Nextcloud 20 to receive a patch. No known workarounds are available.
Vulnerability Analysis
CVE-2023-25160 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
What is an Insecure Direct Object Reference / IDOR Vulnerability?
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2023-25160 has been classified to as an Insecure Direct Object Reference / IDOR vulnerability or weakness.
Products Associated with CVE-2023-25160
Want to know whenever a new CVE is published for Nextcloud Mail? stack.watch will email you.
Affected Versions
nextcloud security-advisories:- Version < 1.11.8 is affected.
- Version >= 1.12.0, < 1.12.9 is affected.
- Version >= 1.13.0, < 1.14.5 is affected.
- Version >= 2.0.0, < 2.2.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.