Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-49791

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when an attacker manages to get access to an active session of another user via another way, they could delete and modify workflows by sending calls directly to the API bypassing the password confirmation shown in the UI. Nextcloud Server versions 26.0.9 and 27.1.4 and Nextcloud Enterprise Server versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 contain a patch for this issue. No known workarounds are available.

Published

2023-12-22T17:15:08.683

Last Modified

2024-11-21T08:33:50.957

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.4 (MEDIUM)

Weaknesses

Type: Primary
CWE-284
CWE-287

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	nextcloud_server	< 23.0.12.13	Yes
Application	nextcloud	nextcloud_server	< 24.0.12.9	Yes
Application	nextcloud	nextcloud_server	< 25.0.13.4	Yes
Application	nextcloud	nextcloud_server	< 26.0.9	Yes
Application	nextcloud	nextcloud_server	< 26.0.9	Yes
Application	nextcloud	nextcloud_server	< 27.1.4	Yes
Application	nextcloud	nextcloud_server	< 27.1.4	Yes

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3f8p-6qww-2prr Vendor Advisory ([email protected])
https://github.com/nextcloud/server/pull/41520 Patch ([email protected])
https://hackerone.com/reports/2120667 Permissions Required ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3f8p-6qww-2prr Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/server/pull/41520 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/2120667 Permissions Required (af854a3a-2127-422b-91ae-364da2661108)