In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with `background-image` CSS attribute. Note that the images were still passed through the Nextcloud image proxy, and thus there was no IP leakage.
In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with `background-image` CSS attribute. Note that the images were still passed through the Nextcloud image proxy, and thus there was no IP leakage.
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xxp4-44xc-8crh https://hackerone.com/reports/1215251 https://github.com/nextcloud/mail/pull/5189 https://github.com/nextcloud/mail/commit/e54c2331f4b98cc39a5b3899c8ed1468dfc5cc30