Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-25150

Nextcloud office/richdocuments is an office suit for the nextcloud server platform. In affected versions the Collabora integration can be tricked to provide access to any file without proper permission validation. As a result any user with access to Collabora can obtain the content of other users files. It is recommended that the Nextcloud Office App (Collabora Integration) is updated to 7.0.2 (Nextcloud 25), 6.3.2 (Nextcloud 24), 5.0.10 (Nextcloud 23), 4.2.9 (Nextcloud 21-22), or 3.8.7 (Nextcloud 15-20). There are no known workarounds for this issue.

Published

2023-02-08T20:15:24.447

Last Modified

2024-11-21T07:49:12.283

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.8 (MEDIUM)

Weaknesses

Type: Secondary
CWE-284
Type: Primary
CWE-732

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	richdocuments	< 3.8.7	Yes
Application	nextcloud	richdocuments	< 4.2.9	Yes
Application	nextcloud	richdocuments	< 5.0.10	Yes
Application	nextcloud	richdocuments	< 6.3.2	Yes
Application	nextcloud	richdocuments	< 7.0.2	Yes

References

https://github.com/nextcloud/richdocuments/pull/2669 Patch, Vendor Advisory ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-64xc-r58v-53gj Vendor Advisory ([email protected])
https://hackerone.com/reports/1788222 Permissions Required, Third Party Advisory ([email protected])
https://github.com/nextcloud/richdocuments/pull/2669 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-64xc-r58v-53gj Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1788222 Permissions Required, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)