CVE-2023-25160

Nextcloud Mail is an email app for the Nextcloud home server platform. Prior to versions 2.2.1, 1.14.5, 1.12.9, and 1.11.8, an attacker can access the mail box by ID getting the subjects and the first characters of the emails. Users should upgrade to Mail 2.2.1 for Nextcloud 25, Mail 1.14.5 for Nextcloud 22-24, Mail 1.12.9 for Nextcloud 21, or Mail 1.11.8 for Nextcloud 20 to receive a patch. No known workarounds are available.

Published: Feb 13, 2023
Updated: Apr 14, 2023
CVE: CVE-2023-25160
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-639

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
nextcloud / mail	-	1.11.8
nextcloud / mail	1.12.0	1.12.9
nextcloud / mail	1.13.0	1.14.5
nextcloud / mail	2.0.0	2.2.1

https://github.com/nextcloud/mail/pull/7740
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m45f-r5gh-h6cx
https://hackerone.com/reports/1784681

Vulnerability Database

289,784

CVE-2023-25160