CVE-2021-39220
LOWNextcloud Mail < 1.10.4 - Privacy Filter Bypass via Relative Protocol Images
Title source: llmDescription
Nextcloud is an open-source, self-hosted productivity platform The Nextcloud Mail application prior to versions 1.10.4 and 1.11.0 does by default not render images in emails to not leak the read state or user IP. The privacy filter failed to filter images with a relative protocol. It is recommended that the Nextcloud Mail application is upgraded to 1.10.4 or 1.11.0. There are no known workarounds aside from upgrading.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6q9v-wm8r-rcv5
Patch, Third Party Advisory x_refsource_misc
https://github.com/nextcloud/mail/pull/5470
Permissions Required x_refsource_misc
https://hackerone.com/reports/1308147
Scores
CVSS v3
3.5
EPSS
0.0026
EPSS Percentile
49.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Details
CWE
CWE-20
CWE-200
Status
published
Products (1)
nextcloud/mail
< 1.10.4
Published
Oct 25, 2021
Tracked Since
Feb 18, 2026