CVE-2021-32707
published 2021-07-12CVE-2021-32707: Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not…
PriorityP421medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
1.15%
62.8th percentile
Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a `background-image` CSS attribute. Note that the images were still passed through the Nextcloud image proxy, and thus there was no IP leakage. The issue was patched in version 1.9.6 and 1.10.0. No workarounds are known to exist.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nextcloud | < 1.9.6 | 1.9.6 | |
| nextcloud | security-advisories | < 1.9.6 | 1.9.6 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/nextcloud/mail/pull/5189https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xxp4-44xc-8crhhttps://hackerone.com/reports/1215251https://github.com/nextcloud/mail/pull/5189https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xxp4-44xc-8crhhttps://hackerone.com/reports/1215251
2021-07-12
Published