fkie_cve-2023-25160
Vulnerability from fkie_nvd
Published
2023-02-13 21:15
Modified
2024-11-21 07:49
Severity ?
4.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Nextcloud Mail is an email app for the Nextcloud home server platform. Prior to versions 2.2.1, 1.14.5, 1.12.9, and 1.11.8, an attacker can access the mail box by ID getting the subjects and the first characters of the emails. Users should upgrade to Mail 2.2.1 for Nextcloud 25, Mail 1.14.5 for Nextcloud 22-24, Mail 1.12.9 for Nextcloud 21, or Mail 1.11.8 for Nextcloud 20 to receive a patch. No known workarounds are available.
References
security-advisories@github.comhttps://github.com/nextcloud/mail/pull/7740Patch
security-advisories@github.comhttps://github.com/nextcloud/security-advisories/security/advisories/GHSA-m45f-r5gh-h6cxVendor Advisory
security-advisories@github.comhttps://hackerone.com/reports/1784681Permissions Required, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/nextcloud/mail/pull/7740Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m45f-r5gh-h6cxVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://hackerone.com/reports/1784681Permissions Required, Third Party Advisory
Impacted products
Vendor Product Version
nextcloud mail *
nextcloud mail *
nextcloud mail *
nextcloud mail *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nextcloud:mail:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "98CC59D4-0A27-4A47-8CC5-7C97F35F44A3",
              "versionEndExcluding": "1.11.8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:mail:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "67876199-B11C-4843-94F5-01B9A63D675B",
              "versionEndExcluding": "1.12.9",
              "versionStartIncluding": "1.12.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:mail:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "624E8C69-26E9-4515-A4AC-83A9CB1CBABC",
              "versionEndExcluding": "1.14.5",
              "versionStartIncluding": "1.13.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:mail:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "96B1291E-89EB-4F5E-ABDE-B0AB7DAB3E13",
              "versionEndExcluding": "2.2.1",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Nextcloud Mail is an email app for the Nextcloud home server platform. Prior to versions 2.2.1, 1.14.5, 1.12.9, and 1.11.8, an attacker can access the mail box by ID getting the subjects and the first characters of the emails. Users should upgrade to Mail 2.2.1 for Nextcloud 25, Mail 1.14.5 for Nextcloud 22-24, Mail 1.12.9 for Nextcloud 21, or Mail 1.11.8 for Nextcloud 20 to receive a patch. No known workarounds are available."
    }
  ],
  "id": "CVE-2023-25160",
  "lastModified": "2024-11-21T07:49:13.527",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-02-13T21:15:14.673",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/nextcloud/mail/pull/7740"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m45f-r5gh-h6cx"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Permissions Required",
        "Third Party Advisory"
      ],
      "url": "https://hackerone.com/reports/1784681"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/nextcloud/mail/pull/7740"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m45f-r5gh-h6cx"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required",
        "Third Party Advisory"
      ],
      "url": "https://hackerone.com/reports/1784681"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.