CVE-2023-45660
Require strict cookies for image proxy requests in Nextcloud Mail
Severity Score
4.3
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
Nextcloud mail is an email app for the Nextcloud home server platform. In affected versions a missing check of origin, target and cookies allows for an attacker to abuse the proxy endpoint to denial of service a third server. It is recommended that the Nextcloud Mail is upgraded to 2.2.8 or 3.3.0. There are no known workarounds for this vulnerability.
Nextcloud mail es una aplicación de correo electrónico para la plataforma de servidor doméstico Nextcloud. En las versiones afectadas, la falta de verificación de origen, destino y cookies permite a un atacante abusar del endpoint del proxy para negar el servicio a un tercer servidor. Se recomienda actualizar Nextcloud Mail a 2.2.8 o 3.3.0. No se conocen workarounds para esta vulnerabilidad.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-10-10 CVE Reserved
- 2023-10-16 CVE Published
- 2024-09-13 CVE Updated
- 2024-10-22 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://hackerone.com/reports/1895874 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/nextcloud/mail/pull/8459 | 2023-10-20 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8j9x-fmww-qr37 | 2023-10-20 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Nextcloud Search vendor "Nextcloud" | Mail Search vendor "Nextcloud" for product "Mail" | >= 2.2.0 < 2.2.8 Search vendor "Nextcloud" for product "Mail" and version " >= 2.2.0 < 2.2.8" | - |
Affected
| ||||||
| Nextcloud Search vendor "Nextcloud" | Mail Search vendor "Nextcloud" for product "Mail" | >= 3.0.0 < 3.3.0 Search vendor "Nextcloud" for product "Mail" and version " >= 3.0.0 < 3.3.0" | - |
Affected
| ||||||