Nextcloud Mail app vulnerable to Server-Side Request Forgery
CVE-2023-48307

9.8CRITICAL

Key Information:

Vendor

nextcloud
Status
security-advisories
Vendor
CVE Published:
21 November 2023

What is CVE-2023-48307?

The Nextcloud Mail app, which serves as the email management tool for the self-hosted Nextcloud platform, exhibits a vulnerability that allows attackers to exploit an unprotected endpoint to conduct Server-Side Request Forgery (SSRF) attacks. This issue affects versions starting from 1.13.0 up to, but not including, versions 2.2.8 and 3.3.0. Users should transition to patched versions to mitigate this risk. As an interim measure, disabling the Mail app can help safeguard against potential exploitation.

Affected Version(s)

security-advisories >= 1.13.0, < 2.2.8 < 1.13.0, 2.2.8

security-advisories >= 3.1.0, < 3.3.0 < 3.1.0, 3.3.0

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/mail/pull/8709
x_refsource_MISC
https://hackerone.com/reports/1869714
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.