CVE-2021-32707

Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a background-image CSS attribute. Note that the images were still passed through the Nextcloud image proxy, and thus there was no IP leakage. The issue was patched in version 1.9.6 and 1.10.0. No workarounds are known to exist.

Published: Jul 12, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-32707
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:N/I:P/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
nextcloud / mail	-	1.9.6

https://github.com/nextcloud/mail/pull/5189
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xxp4-44xc-8crh
https://hackerone.com/reports/1215251

Vulnerability Database

289,784

CVE-2021-32707