CVE-2023-48307
LOWNextcloud Mail 1.13.0-2.2.7 - Server-Side Request Forgery via Unprotected Endpoint
Title source: llmDescription
Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Starting in version 1.13.0 and prior to version 2.2.8 and 3.3.0, an attacker can use an unprotected endpoint in the Mail app to perform a SSRF attack. Nextcloud Mail app versions 2.2.8 and 3.3.0 contain a patch for this issue. As a workaround, disable the mail app.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4pp4-m8ph-2999
Issue Tracking, Patch x_refsource_misc
https://github.com/nextcloud/mail/pull/8709
Permissions Required x_refsource_misc
https://hackerone.com/reports/1869714
Scores
CVSS v3
3.5
EPSS
0.0018
EPSS Percentile
39.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
Details
CWE
CWE-918
Status
published
Products (1)
nextcloud/mail
1.13.0 - 2.2.8
Published
Nov 21, 2023
Tracked Since
Feb 18, 2026