Lucene search

[email protected]NVD:CVE-2022-31132

HistoryAug 04, 2022 - 5:15 p.m.

CVE-2022-31132

2022-08-0417:15:08

CWE-918

[email protected]

web.nvd.nist.gov

nextcloud mail

email application

css minifier

unrestricted access

server-side request forgery

ssrf

upgrade

vulnerability

deletion

file.

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

58.3%

JSON

Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions shipped with a CSS minifier on the path ./vendor/cerdic/css-tidy/css_optimiser.php. Access to the minifier is unrestricted and access may lead to Server-Side Request Forgery (SSRF). It is recommendet to upgrade to Mail 1.12.7 or Mail 1.13.6. Users unable to upgrade may manually delete the file located at ./vendor/cerdic/css-tidy/css_optimiser.php

Affected configurations

Nvd

Node

nextcloudmailRange<1.12.8

nextcloudmailRange1.13.0–1.13.6

VendorProductVersionCPE
nextcloudmail*cpe:2.3:a:nextcloud:mail:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nextcloud	mail	*	cpe:2.3:a:nextcloud:mail::::::::

References

github.com/nextcloud/security-advisories/security/advisories/GHSA-24pm-rjfv-23mh

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

58.3%

JSON

Related for NVD:CVE-2022-31132

nextcloud1 osv1 cvelist1 prion1 hackerone1 cve1