VYPR
← All advisories
Unrated severityNVD Advisory· Published May 27, 2023· Updated Jan 14, 2025

Blind SSRF in the Nextcloud Mail app on avatar endpoint

CVE-2023-33184

Description

Nextcloud Mail is a mail app in Nextcloud. A blind SSRF attack allowed to send GET requests to services running in the same web server. It is recommended that the Mail app is update to version 3.02, 2.2.5 or 1.15.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Nextcloud Mail app contains a blind SSRF vulnerability allowing GET requests to internal services; fixed in versions 3.0.2, 2.2.5, 1.15.3.

Vulnerability

The Nextcloud Mail app version prior to 3.0.2, 2.2.5, and 1.15.3 is vulnerable to a blind server-side request forgery (SSRF) in the avatar endpoint. The app fails to properly validate hostnames when fetching favicons, allowing an attacker to trigger GET requests to arbitrary internal services [1][2].

Exploitation

An attacker with access to the Nextcloud Mail app (e.g., an authenticated user) can craft a malicious email or configure an account to include a crafted avatar URL. The lack of host validation causes the server to make a GET request to the attacker-specified host [2]. No additional privileges beyond basic user access are required, though user interaction may be needed to open the email or view the avatar.

Impact

Successful exploitation allows an attacker to send blind GET requests to services running on the same web server or internal network. This can be used to probe internal services, potentially leading to information disclosure or triggering actions on vulnerable internal endpoints [2].

Mitigation

Update the Nextcloud Mail app to version 3.0.2, 2.2.5, or 1.15.3 [1][2]. No workarounds are currently available. The fix is implemented in pull request #8275, which adds validation for favicon hosts [1].

References
  1. fix(avatar): Validate favicon hosts by ChristophWurst · Pull Request #8275 · nextcloud/mail
  2. Blind SSRF in the Mail app on avatar endpoint

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Nextcloud/Mailllm-fuzzy
    Range: >= 1.15.3, <= 2.2.5, >= 3.02
  • nextcloud/security-advisoriesv5
    Range: < 1.15.3

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.