Headline
CVE-2022-31132
Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions shipped with a CSS minifier on the path ./vendor/cerdic/css-tidy/css_optimiser.php. Access to the minifier is unrestricted and access may lead to Server-Side Request Forgery (SSRF). It is recommendet to upgrade to Mail 1.12.7 or Mail 1.13.6. Users unable to upgrade may manually delete the file located at ./vendor/cerdic/css-tidy/css_optimiser.php
Impact
This vulnerability can be exploited by an unauthenticated attacker and opens the possibility of not only attacking other local services, but also the router of the home network. The ability to receive and write CSS files can be used by the attacker to find out what other services are running on devices in the network or what kind of router is used etc. before running additional attacks.
Patches
It is recommendet to upgrade to Mail 1.12.7 or Mail 1.13.6
Workarounds
Users can manually delete the file located at ./vendor/cerdic/css-tidy/css_optimiser.php
References
- Pull request
- HackerOne
For more information
If you have any questions or comments about this advisory:
- Create a post in nextcloud/security-advisories
- Customers: Open a support ticket at support.nextcloud.com