Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-48301

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Server and Nextcloud Enterprise Server, an attacker could insert links into circles name that would be opened when clicking the circle name in a search filter. Nextcloud Server and Nextcloud Enterprise Server versions 25.0.13, 26.0.8, and 27.1.3 contain a fix for this issue. As a workaround, disable app circles.

Published

2023-11-21T22:15:07.490

Last Modified

2024-11-21T08:31:26.527

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 3.5 (LOW)

Weaknesses

Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	nextcloud_server	≤ 25.0.13	Yes
Application	nextcloud	nextcloud_server	< 25.0.13	Yes
Application	nextcloud	nextcloud_server	≤ 26.0.8	Yes
Application	nextcloud	nextcloud_server	< 26.0.8	Yes
Application	nextcloud	nextcloud_server	≤ 27.1.3	Yes
Application	nextcloud	nextcloud_server	< 27.1.3	Yes

References

https://github.com/nextcloud/circles/pull/1415 Patch ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wgpw-qqq2-gwv6 Vendor Advisory ([email protected])
https://hackerone.com/reports/2210038 Exploit, Third Party Advisory ([email protected])
https://github.com/nextcloud/circles/pull/1415 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wgpw-qqq2-gwv6 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/2210038 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)