CVE-2023-25160 MEDIUM

CVE-2023-25160: IDOR Vulnerability in Nextcloud Mail

Vendor Nextcloud
Product security-advisories
Weakness CWE-639 · IDOR
Published February 13, 2023
Last update March 10, 2025

CVSS base score

4.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

Nextcloud Mail is an email app for the Nextcloud home server platform. Prior to versions 2.2.1, 1.14.5, 1.12.9, and 1.11.8, an attacker can access the mail box by ID getting the subjects and the first characters of the emails. Users should upgrade to Mail 2.2.1 for Nextcloud 25, Mail 1.14.5 for Nextcloud 22-24, Mail 1.12.9 for Nextcloud 21, or Mail 1.11.8 for Nextcloud 20 to receive a patch. No known workarounds are available.

Key dates

02Disclosure timeline

February 13, 2023 CVE published
March 10, 2025 Record updated