CVE-2023-23943Server-Side Request Forgery in Security-advisories

CWE-918Server-Side Request Forgery2 documents2 sources
Severity
4.3MEDIUMNVD
CNA5.0
EPSS
0.8%
top 26.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Mail
Timeline
PublishedFeb 6

Description

Nextcloud mail is an email app for the nextcloud home server platform. In affected versions the SMTP, IMAP and Sieve host fields allowed to scan for internal services and servers reachable from within the local network of the Nextcloud Server. It is recommended that the Nextcloud Maill app is upgraded to 1.15.0 or 2.2.2. The only known workaround for this issue is to completely disable the nextcloud mail app.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDnextcloud/mail2.2.02.2.2+1
CVEListV5nextcloud/security-advisories< 1.15.0+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Blind SSRF via server URL input in the Nextcloud Mail app2023-02-06
CVE-2023-23943 — Server-Side Request Forgery | cvebase