Vulnerability Description
Nextcloud Mail is an email app for the Nextcloud home server platform. Prior to versions 2.2.1, 1.14.5, 1.12.9, and 1.11.8, an attacker can access the mail box by ID getting the subjects and the first characters of the emails. Users should upgrade to Mail 2.2.1 for Nextcloud 25, Mail 1.14.5 for Nextcloud 22-24, Mail 1.12.9 for Nextcloud 21, or Mail 1.11.8 for Nextcloud 20 to receive a patch. No known workarounds are available.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | < 1.11.8 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/mail/pull/7740Patch
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m45f-rVendor Advisory
- https://hackerone.com/reports/1784681Permissions RequiredThird Party Advisory
- https://github.com/nextcloud/mail/pull/7740Patch
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m45f-rVendor Advisory
- https://hackerone.com/reports/1784681Permissions RequiredThird Party Advisory
FAQ
What is CVE-2023-25160?
CVE-2023-25160 is a vulnerability with a CVSS score of 4.1 (MEDIUM). Nextcloud Mail is an email app for the Nextcloud home server platform. Prior to versions 2.2.1, 1.14.5, 1.12.9, and 1.11.8, an attacker can access the mail box by ID getting the subjects and the first...
How severe is CVE-2023-25160?
CVE-2023-25160 has been rated MEDIUM with a CVSS base score of 4.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-25160?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Mail.