Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-48302

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Server and Nextcloud Enterprise Server, when a user is tricked into copy pasting HTML code without markup (Ctrl+Shift+V) the markup will actually render. Nextcloud Server and Nextcloud Enterprise Server versions 25.0.13, 26.0.8, and 27.1.3 contain a fix for this issue. As a workaround, disable app text.

Published

2023-11-21T22:15:07.697

Last Modified

2024-11-21T08:31:26.690

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 3.5 (LOW)

Weaknesses

Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	nextcloud_server	< 25.0.13	Yes
Application	nextcloud	nextcloud_server	< 25.0.13	Yes
Application	nextcloud	nextcloud_server	< 26.0.8	Yes
Application	nextcloud	nextcloud_server	< 26.0.8	Yes
Application	nextcloud	nextcloud_server	< 27.1.3	Yes
Application	nextcloud	nextcloud_server	< 27.1.3	Yes

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-p7g9-x25m-4h87 Vendor Advisory ([email protected])
https://github.com/nextcloud/text/pull/4877 Patch ([email protected])
https://hackerone.com/reports/2211561 Permissions Required ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-p7g9-x25m-4h87 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/text/pull/4877 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/2211561 Permissions Required (af854a3a-2127-422b-91ae-364da2661108)