CVE-2023-45660
Require strict cookies for image proxy requests in Nextcloud Mail
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Nextcloud mail is an email app for the Nextcloud home server platform. In affected versions a missing check of origin, target and cookies allows for an attacker to abuse the proxy endpoint to denial of service a third server. It is recommended that the Nextcloud Mail is upgraded to 2.2.8 or 3.3.0. There are no known workarounds for this vulnerability.
Nextcloud mail es una aplicación de correo electrónico para la plataforma de servidor doméstico Nextcloud. En las versiones afectadas, la falta de verificación de origen, destino y cookies permite a un atacante abusar del endpoint del proxy para negar el servicio a un tercer servidor. Se recomienda actualizar Nextcloud Mail a 2.2.8 o 3.3.0. No se conocen workarounds para esta vulnerabilidad.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2023-10-10 CVE Reserved
- 2023-10-16 CVE Published
- 2024-09-13 CVE Updated
- 2024-10-22 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
https://hackerone.com/reports/1895874 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/nextcloud/mail/pull/8459 | 2023-10-20 |
URL | Date | SRC |
---|---|---|
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8j9x-fmww-qr37 | 2023-10-20 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Nextcloud Search vendor "Nextcloud" | Mail Search vendor "Nextcloud" for product "Mail" | >= 2.2.0 < 2.2.8 Search vendor "Nextcloud" for product "Mail" and version " >= 2.2.0 < 2.2.8" | - |
Affected
| ||||||
Nextcloud Search vendor "Nextcloud" | Mail Search vendor "Nextcloud" for product "Mail" | >= 3.0.0 < 3.3.0 Search vendor "Nextcloud" for product "Mail" and version " >= 3.0.0 < 3.3.0" | - |
Affected
|