[manjaro-security] [ASA-202107-41] nextcloud-app-mail: information disclosure
Jonas Witschel via arch-security
arch-security at lists.archlinux.org
Tue Jul 20 21:30:45 CEST 2021
Arch Linux Security Advisory ASA-202107-41
==========================================
Severity: Low
Date : 2021-07-20
CVE-ID : CVE-2021-32707
Package : nextcloud-app-mail
Type : information disclosure
Remote : Yes
Link : https://security.archlinux.org/AVG-2145
Summary
=======
The package nextcloud-app-mail before version 1.10.1-1 is vulnerable to
information disclosure.
Resolution
==========
Upgrade to 1.10.1-1.
# pacman -Syu "nextcloud-app-mail>=1.10.1-1"
The problem has been fixed upstream in version 1.10.1.
Workaround
==========
None.
Description
===========
In versions prior to 1.9.6, the Nextcloud Mail application does not, by
default, render images in emails to not leak the read state. The
privacy filter failed to filter images with `background-image` CSS
attribute. Note that the images were still passed through the Nextcloud
image proxy, and thus there was no IP leakage.
Impact
======
A remote attacker could disclose whether an email message has been read
by embedding a remote CSS background image.
References
==========
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xxp4-44xc-8crh
https://hackerone.com/reports/1215251
https://github.com/nextcloud/mail/pull/5189
https://github.com/nextcloud/mail/commit/e54c2331f4b98cc39a5b3899c8ed1468dfc5cc30
https://security.archlinux.org/CVE-2021-32707
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20210720/817ccf8e/attachment-0001.sig>
More information about the manjaro-security
mailing list