[manjaro-security] [ASA-202107-41] nextcloud-app-mail: information disclosure
Jonas Witschel via arch-security
arch-security at lists.archlinux.org
Tue Jul 20 21:30:45 CEST 2021
Arch Linux Security Advisory ASA-202107-41
Date : 2021-07-20
CVE-ID : CVE-2021-32707
Package : nextcloud-app-mail
Type : information disclosure
Remote : Yes
Link : https://security.archlinux.org/AVG-2145
The package nextcloud-app-mail before version 1.10.1-1 is vulnerable to
Upgrade to 1.10.1-1.
# pacman -Syu "nextcloud-app-mail>=1.10.1-1"
The problem has been fixed upstream in version 1.10.1.
In versions prior to 1.9.6, the Nextcloud Mail application does not, by
default, render images in emails to not leak the read state. The
privacy filter failed to filter images with `background-image` CSS
attribute. Note that the images were still passed through the Nextcloud
image proxy, and thus there was no IP leakage.
A remote attacker could disclose whether an email message has been read
by embedding a remote CSS background image.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the manjaro-security