CVE-2023-23943
MEDIUMNextcloud Mail < 1.15.0 - Server-Side Request Forgery via SMTP/IMAP/Sieve Host Fields
Title source: llmDescription
Nextcloud mail is an email app for the nextcloud home server platform. In affected versions the SMTP, IMAP and Sieve host fields allowed to scan for internal services and servers reachable from within the local network of the Nextcloud Server. It is recommended that the Nextcloud Maill app is upgraded to 1.15.0 or 2.2.2. The only known workaround for this issue is to completely disable the nextcloud mail app.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8gcx-r739-9pf6
Patch x_refsource_misc
https://github.com/nextcloud/mail/pull/7796
Exploit, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1736390
Exploit, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1741525
Exploit, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1746582
Scores
CVSS v3
5.0
EPSS
0.0078
EPSS Percentile
73.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (1)
nextcloud/mail
< 1.15.0
Published
Feb 06, 2023
Tracked Since
Feb 18, 2026