Vulnerability Description
Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a `background-image` CSS attribute. Note that the images were still passed through the Nextcloud image proxy, and thus there was no IP leakage. The issue was patched in version 1.9.6 and 1.10.0. No workarounds are known to exist.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | < 1.9.6 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/mail/pull/5189PatchThird Party Advisory
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xxp4-4Third Party Advisory
- https://hackerone.com/reports/1215251ExploitThird Party Advisory
- https://github.com/nextcloud/mail/pull/5189PatchThird Party Advisory
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xxp4-4Third Party Advisory
- https://hackerone.com/reports/1215251ExploitThird Party Advisory
FAQ
What is CVE-2021-32707?
CVE-2021-32707 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter fail...
How severe is CVE-2021-32707?
CVE-2021-32707 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-32707?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Mail.