Affected versions were found to be vulnerable to SMTP command injection. Nextcloud server is an open source personal cloud server. There are no known workarounds for this issue.
#UNKNOWN DISCONNECTION REASON 3335 UPGRADE#
Users are advised to upgrade to version 10.0.3. It was found that in affected versions there is an exposure of private information defined in setup of GLPI (like smtp or cas hosts). GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. This might need adjustments for older versions, though. The template file `suggest.vm` can be replaced by a patched version without upgrading or restarting XWiki unless it has been overridden, in which case the overridden template should be patched, too. Password properties are no longer displayed and rights are checked for other properties. The issue is patched in version 13.10.4 and 14.2. By exploiting an additional vulnerability, this issue can even be exploited on private wikis at least for string properties. Sensitive configuration fields like passwords for LDAP or SMTP servers could be accessed. This includes private personal information like email addresses and salted password hashes of registered users but also other information stored in properties of objects. Through the suggestion feature, string and list properties of objects the user shouldn't have access to can be accessed in versions prior to 13.10.4 and 14.2. XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform.