Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions shipped with a CSS minifier on the path ./vendor/cerdic/css-tidy/css_optimiser.php
. Access to the minifier is unrestricted and access may lead to Server-Side Request Forgery (SSRF). It is recommendet to upgrade to Mail 1.12.7 or Mail 1.13.6. Users unable to upgrade may manually delete the file located at ./vendor/cerdic/css-tidy/css_optimiser.php
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Nextcloud | * | 1.12.8 (excluding) | |
Nextcloud | 1.13.0 (including) | 1.13.6 (excluding) |