Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-41233

Nextcloud text is a collaborative document editing using Markdown built for the nextcloud server. Due to an issue with the Nextcloud Text application, which is by default shipped with Nextcloud Server, an attacker is able to access the folder names of "File Drop". For successful exploitation an attacker requires knowledge of the sharing link. It is recommended that users upgrade their Nextcloud Server to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the Nextcloud Text application in the application settings.

Published

2022-03-10T21:15:13.213

Last Modified

2024-11-21T06:25:50.783

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-862
Type: Primary
CWE-863

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	nextcloud_server	< 20.0.14	Yes
Application	nextcloud	nextcloud_server	< 21.0.6	Yes
Application	nextcloud	nextcloud_server	< 22.2.1	Yes

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-26c8-35cm-xq9m Third Party Advisory ([email protected])
https://github.com/nextcloud/text/pull/1884 Patch, Third Party Advisory ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-26c8-35cm-xq9m Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/text/pull/1884 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)