5.4

CVE-2025-66514

Nextcloud Mail stored HTML injection in subject text

Mail stored HTML injection in subject text

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the Nextcloud Server code.
Mögliche Gegenmaßnahme
Mail: * Disable Mail app
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NextcloudMail SwPlatformnextcloud Version < 5.5.3
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Weitere Schwachstelleninformationen
SystemNextcloud App
Produkt Mail
Version >= 5.2.0, < 5.5.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.21% 0.114
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.4 2.3 2.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com 3.5 2.1 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v394-8gpc-6fv5
Patch
Vendor Advisory
https://github.com/nextcloud/mail/pull/11740
Patch
Issue Tracking
https://github.com/nextcloud/mail/commit/c64fcc3b79e0c089b5e1d2e04a07bfa740b2ac09
Patch
https://hackerone.com/reports/3357036
Vendor Advisory
Permissions Required
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v394-8gpc-6fv5
Third Party Advisory