CVE-2023-48307 – Nextcloud Mail app vulnerable to Server-Side Request Forgery
https://notcve.org/view.php?id=CVE-2023-48307
Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Starting in version 1.13.0 and prior to version 2.2.8 and 3.3.0, an attacker can use an unprotected endpoint in the Mail app to perform a SSRF attack. Nextcloud Mail app versions 2.2.8 and 3.3.0 contain a patch for this issue. As a workaround, disable the mail app. Nextcloud Mail es la aplicación de correo de Nextcloud, una plataforma de productividad autohospedada. • https://github.com/nextcloud/mail/pull/8709 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4pp4-m8ph-2999 https://hackerone.com/reports/1869714 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2023-45660 – Require strict cookies for image proxy requests in Nextcloud Mail
https://notcve.org/view.php?id=CVE-2023-45660
Nextcloud mail is an email app for the Nextcloud home server platform. In affected versions a missing check of origin, target and cookies allows for an attacker to abuse the proxy endpoint to denial of service a third server. It is recommended that the Nextcloud Mail is upgraded to 2.2.8 or 3.3.0. There are no known workarounds for this vulnerability. Nextcloud mail es una aplicación de correo electrónico para la plataforma de servidor doméstico Nextcloud. • https://github.com/nextcloud/mail/pull/8459 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8j9x-fmww-qr37 https://hackerone.com/reports/1895874 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2015-9097
https://notcve.org/view.php?id=CVE-2015-9097
The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring. La mail gem versiones anteriores a 2.5.5 para Ruby (también conocida como A Really Ruby Mail Library) es vulnerable a inyección de comandos SMTP mediante secuencias CRLF con el comando RCPT TO o MAIL FROM, como lo demuestran las secuencias CRLF inmediatamente antes y después de una subcadena DATA. • http://openwall.com/lists/oss-security/2015/12/11/3 http://www.mbsd.jp/Whitepaper/smtpi.pdf https://github.com/mikel/mail/commit/72befdc4dab3e6e288ce226a7da2aa474cf5be83 https://github.com/mikel/mail/pull/1097 https://github.com/rubysec/ruby-advisory-db/issues/215 https://hackerone.com/reports/137631 https://rubysec.com/advisories/mail-OSVDB-131677 • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVE-2016-4879
https://notcve.org/view.php?id=CVE-2016-4879
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. Vulnerabilidad de tipo cross-site request forgery (CSRF) en el plugin Mail para baserCMS en versiones 3.0.10 y anteriores, que permitiría a atacantes remotos secuestrar la autenticación de los administradores a través de vectores no especificados. • http://basercms.net/security/JVN92765814 http://www.securityfocus.com/bid/93217 https://jvn.jp/en/jp/JVN92765814/index.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2011-0739
https://notcve.org/view.php?id=CVE-2011-0739
The deliver function in the sendmail delivery agent (lib/mail/network/delivery_methods/sendmail.rb) in Ruby Mail gem 2.2.14 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an e-mail address. La función de entrega en el agente de entrega de sendmail (lib/mail/network/delivery_methods/sendmail.rb)para Ruby Mail gem v2.2.14 y anteriores permite a atacantes remotos ejecutar comandos arbitrarios a través de metacaracteres cubiertos en una dirección de correo electrónico. • http://groups.google.com/group/mail-ruby/browse_thread/thread/e93bbd05706478dd?pli=1 http://osvdb.org/70667 http://secunia.com/advisories/43077 http://www.securityfocus.com/bid/46021 http://www.vupen.com/english/advisories/2011/0233 https://exchange.xforce.ibmcloud.com/vulnerabilities/65010 https://github.com/mikel/mail/raw/master/patches/20110126_sendmail.patch • CWE-20: Improper Input Validation •