Description
Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. When a user is trying to set up a mail account with an email address like [email protected] that does not support auto configuration, and an attacker managed to register autoconfig.tld, the used email details would be send to the server of the attacker. It is recommended that the Nextcloud Mail app is upgraded to 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7 or 4.0.0.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vmhx-hwph-q6mc
Issue Tracking x_refsource_misc
https://github.com/nextcloud/mail/pull/9964
Patch x_refsource_misc
https://github.com/nextcloud/mail/commit/a84c70e15d814dab6f0e8eda71bbaaf48152079b
Issue Tracking x_refsource_misc
https://hackerone.com/reports/2508422
Scores
CVSS v3
8.2
EPSS
0.0030
EPSS Percentile
53.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-200
Status
published
Products (1)
nextcloud/mail
1.9.0 - 1.14.6
Published
Nov 15, 2024
Tracked Since
Feb 18, 2026