CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23944 – Nexcloud Mail app temporarily stores cleartext password in database
https://notcve.org/view.php?id=CVE-2023-23944
Nextcloud mail is an email app for the nextcloud home server platform. In versions prior to 2.2.2 user's passwords were stored in cleartext in the database during the duration of OAuth2 setup procedure. Any attacker or malicious user with access to the database would have access to these user passwords until the OAuth setup has been completed. It is recommended that the Nextcloud Mail app is upgraded to 2.2.2. There are no known workarounds for this issue. • https://github.com/nextcloud/mail/pull/7797 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g86r-x755-93f4 https://hackerone.com/reports/1806275 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31119 – Password disclosure in log file in Nextcloud Mail App
https://notcve.org/view.php?id=CVE-2022-31119
Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions of Nextcloud mail would log user passwords to disk in the event of a misconfiguration. Should an attacker gain access to the logs complete access to affected accounts would be obtainable. It is recommended that the Nextcloud Mail is upgraded to 1.12.1. Operators should inspect their logs and remove passwords which have been logged. • https://github.com/nextcloud/mail/issues/823 https://github.com/nextcloud/mail/pull/6488/commits/ab9ade57fbc1f465ffe905248f93f328d638d7e5 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-63m3-w68h-3wjg • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-31132 – Unauthenticated SSRF in 3rd party module "cerdic/csstidy"
https://notcve.org/view.php?id=CVE-2022-31132
Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions shipped with a CSS minifier on the path `./vendor/cerdic/css-tidy/css_optimiser.php`. Access to the minifier is unrestricted and access may lead to Server-Side Request Forgery (SSRF). It is recommendet to upgrade to Mail 1.12.7 or Mail 1.13.6. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-24pm-rjfv-23mh • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-31131 – Ownership check missing when updating or deleting mail attachments in Nextcloud mail
https://notcve.org/view.php?id=CVE-2022-31131
Nextcloud mail is a Mail app for the Nextcloud home server product. Versions of Nextcloud mail prior to 1.12.2 were found to be missing user account ownership checks when performing tasks related to mail attachments. Attachments may have been exposed to incorrect system users. It is recommended that the Nextcloud Mail app is upgraded to 1.12.2. There are no known workarounds for this issue. ### Workarounds No workaround available ### References * [Pull request](https://github.com/nextcloud/mail/pull/6600) * [HackerOne](https://hackerone.com/reports/1579820) ### For more information If you have any questions or comments about this advisory: * Create a post in [nextcloud/security-advisories](https://github.com/nextcloud/security-advisories/discussions) * Customers: Open a support ticket at [support.nextcloud.com](https://support.nextcloud.com) Nextcloud mail es una aplicación de correo para el producto Nextcloud home server. • https://github.com/nextcloud/mail/pull/6600 https://github.com/nextcloud/mail/pull/6600/commits/6dd2527be8d4f6788b449c8a8f5577628b990605 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xhv7-5mhv-299j • CWE-287: Improper Authentication CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-39220 – Bypass of image blocking in Nextcloud Mail
https://notcve.org/view.php?id=CVE-2021-39220
Nextcloud is an open-source, self-hosted productivity platform The Nextcloud Mail application prior to versions 1.10.4 and 1.11.0 does by default not render images in emails to not leak the read state or user IP. The privacy filter failed to filter images with a relative protocol. It is recommended that the Nextcloud Mail application is upgraded to 1.10.4 or 1.11.0. There are no known workarounds aside from upgrading. Nextcloud es una plataforma de productividad de código abierto y auto-alojada La aplicación Nextcloud Mail versiones anteriores a 1.10.4 y 1.11.0, no renderiza por defecto las imágenes en los correos electrónicos para no filtrar el estado de lectura o la IP del usuario. • https://github.com/nextcloud/mail/pull/5470 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6q9v-wm8r-rcv5 https://hackerone.com/reports/1308147 • CWE-20: Improper Input Validation CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •