Unauthenticated SSRF in 3rd party module "cerdic/csstidy"
CVE-2022-31132

8.3HIGH

Key Information:

Vendor: Nextcloud
Status: Security-advisories
Vendor: CVE Published:; 4 August 2022

What is CVE-2022-31132?

Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions shipped with a CSS minifier on the path ./vendor/cerdic/css-tidy/css_optimiser.php. Access to the minifier is unrestricted and access may lead to Server-Side Request Forgery (SSRF). It is recommendet to upgrade to Mail 1.12.7 or Mail 1.13.6. Users unable to upgrade may manually delete the file located at ./vendor/cerdic/css-tidy/css_optimiser.php

Affected Version(s)

security-advisories < 1.12.8 < 1.12.8

security-advisories >= 1.13.0, < 1.13.6 < 1.13.0, 1.13.6

References

https://github.com/nextcloud/security-advisories/security...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 4, 2022
Vulnerability Reserved
May 18, 2022