Mail auto configurator sends account information to `autoconfig.tld` server when no auto-configuration is possible

Impact

When a user is trying to set up a mail account with an email address like user@example.tld that does not support auto configuration, and an attacker managed to register autoconfig.tld, the used email details would be send to the server of the attacker. Registering autoconfig.tld is not possible for most of the tlds, especially .com, .de, and the like.

Patches

It is recommended that the Nextcloud Mail app is upgraded to 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7 or 4.0.0

Workarounds

No workaround available

References

For more information

If you have any questions or comments about this advisory:

Create a post in nextcloud/security-advisories
Customers: Open a support ticket at portal.nextcloud.com

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Mail auto configurator sends account information to `autoconfig.tld` server when no auto-configuration is possible

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

References

For more information

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

CVE ID

Weaknesses

Credits