First published: Mon Oct 25 2021(Updated: )
Nextcloud is an open-source, self-hosted productivity platform The Nextcloud Mail application prior to versions 1.10.4 and 1.11.0 does by default not render images in emails to not leak the read state or user IP. The privacy filter failed to filter images with a relative protocol. It is recommended that the Nextcloud Mail application is upgraded to 1.10.4 or 1.11.0. There are no known workarounds aside from upgrading.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Nextcloud mail | <1.10.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-39220 is a vulnerability in the Nextcloud Mail application that does not render images in emails to prevent leakage of read state or user IP.
CVE-2021-39220 can allow an attacker to bypass the privacy filter in Nextcloud Mail and view images in emails, potentially disclosing read state or user IP.
The severity of CVE-2021-39220 is low, with a severity value of 3.5.
To fix CVE-2021-39220, update Nextcloud Mail to version 1.10.4 or later.
You can find more information about CVE-2021-39220 on the Nextcloud Mail GitHub repository and HackerOne report.