9.8

CVE-2023-48307

Nextcloud Mail app vulnerable to Server-Side Request Forgery

Server-Side Request Forgery (SSRF) in Mail app

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Starting in version 1.13.0 and prior to version 2.2.8 and 3.3.0, an attacker can use an unprotected endpoint in the Mail app to perform a SSRF attack. Nextcloud Mail app versions 2.2.8 and 3.3.0 contain a patch for this issue. As a workaround, disable the mail app.
Mögliche Gegenmaßnahme
Mail: * Disable mail app
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NextcloudMail Version >= 1.13.0 < 2.2.8
NextcloudMail Version >= 3.0.0 < 3.3.0
Weitere Schwachstelleninformationen
SystemNextcloud App
Produkt Mail
Version >= 1.13.0, < 2.2.8
Version >= 3.1.0, < 3.3.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.18% 0.397
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com 3.5 2.1 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.