Mail app not verifying TLS host of mail servers (NC-SA-2020-020)
24th March 2020
Risk level: Low
CVSS v3 Base Score: 5.9 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L)
HackerOne report: 803734
A missing verification of the TLS host in Nextcloud Mail 1.1.3 allowed a man in the middle attack.
- Nextcloud Mail < 1.1.4 (CVE-2020-8156)
The error has been fixed.
It is recommended that the Nextcloud Mail app is upgraded to 1.1.4.
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Frank Isemann (firstname.lastname@example.org) - Vulnerability discovery and disclosure.
This advisory is licensed CC BY-SA 4.0.