CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-48307 – Nextcloud Mail app vulnerable to Server-Side Request Forgery
https://notcve.org/view.php?id=CVE-2023-48307
Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Starting in version 1.13.0 and prior to version 2.2.8 and 3.3.0, an attacker can use an unprotected endpoint in the Mail app to perform a SSRF attack. Nextcloud Mail app versions 2.2.8 and 3.3.0 contain a patch for this issue. As a workaround, disable the mail app. Nextcloud Mail es la aplicación de correo de Nextcloud, una plataforma de productividad autohospedada. • https://github.com/nextcloud/mail/pull/8709 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4pp4-m8ph-2999 https://hackerone.com/reports/1869714 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-45660 – Require strict cookies for image proxy requests in Nextcloud Mail
https://notcve.org/view.php?id=CVE-2023-45660
Nextcloud mail is an email app for the Nextcloud home server platform. In affected versions a missing check of origin, target and cookies allows for an attacker to abuse the proxy endpoint to denial of service a third server. It is recommended that the Nextcloud Mail is upgraded to 2.2.8 or 3.3.0. There are no known workarounds for this vulnerability. Nextcloud mail es una aplicación de correo electrónico para la plataforma de servidor doméstico Nextcloud. • https://github.com/nextcloud/mail/pull/8459 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8j9x-fmww-qr37 https://hackerone.com/reports/1895874 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2016-4877
https://notcve.org/view.php?id=CVE-2016-4877
Cross-site scripting vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de Cross-Site Scripting en el plugin Mail en baserCMS versión 3.0.10 y anteriores permite a los atacantes autenticados remotos inyectar secuencias de comandos web o HTML a través de vectores no especificados • http://basercms.net/security/JVN92765814 http://www.securityfocus.com/bid/93217 https://jvn.jp/en/jp/JVN92765814/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2016-4879
https://notcve.org/view.php?id=CVE-2016-4879
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. Vulnerabilidad de tipo cross-site request forgery (CSRF) en el plugin Mail para baserCMS en versiones 3.0.10 y anteriores, que permitiría a atacantes remotos secuestrar la autenticación de los administradores a través de vectores no especificados. • http://basercms.net/security/JVN92765814 http://www.securityfocus.com/bid/93217 https://jvn.jp/en/jp/JVN92765814/index.html • CWE-352: Cross-Site Request Forgery (CSRF) •