Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nvd[email protected]NVD:CVE-2023-28833
HistoryMar 30, 2023 - 7:15 p.m.

CVE-2023-28833

2023-03-3019:15:06
CWE-22
CWE-434
[email protected]
web.nvd.nist.gov
3
nextcloud server
file upload
unrestricted filenames
file overwrite
upgrade recommended

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

6.2

Confidence

High

EPSS

0.002

Percentile

53.8%

JSON

Nextcloud server is an open source home cloud implementation. In affected versions admins of a server were able to upload a logo or a favicon and to provided a file name which was not restricted and could overwrite files in the appdata directory. Administrators may have access to overwrite these files by other means but this method could be exploited by tricking an admin into uploading a maliciously named file. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. Users unable to upgrade should avoid ingesting logo files from untrusted sources.

Affected configurations

Nvd
Node
nextcloudnextcloud_serverRange23.0.023.0.14enterprise
OR
nextcloudnextcloud_serverRange24.0.024.0.10-
OR
nextcloudnextcloud_serverRange24.0.024.0.10enterprise
OR
nextcloudnextcloud_serverRange25.0.025.0.4-
OR
nextcloudnextcloud_serverRange25.0.025.0.4enterprise
VendorProductVersionCPE
nextcloudnextcloud_server*cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
nextcloudnextcloud_server*cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*

Related

nextcloud 1
cve 1
hackerone 1
osv 1
cvelist 1
prion 1
openvas 1
redos 1
nextcloud
nextcloud
Ability to control the filename when uploading a logo or favicon as admin in the theming settings
2023-03-30 08:23:26
cve
cve
CVE-2023-28833
2023-03-30 19:15:06
hackerone
hackerone
Nextcloud: Ability to control the filename when uploading a logo or favicon on theming
2022-11-22 20:46:30
osv
osv
CVE-2023-28833
2023-03-30 19:15:06
cvelist
cvelist
CVE-2023-28833 Unrestricted filenames for logo or favicon as admin in the theming settings in nextcloud server
2023-03-30 18:49:38
prion
prion
Design/Logic Flaw
2023-03-30 19:15:00
openvas
openvas
Nextcloud Server 24.x < 24.0.10, 25.x < 25.0.4 Multiple Vulnerabilities (GHSA-h3c9-cmh8-7qpj, GHSA-ch7f-px7m-hg25, GHSA-5w64-6c42-rgcv, GHSA-7w2p-rp9m-9xp9)
2023-04-03 00:00:00
redos
redos
ROS-20230418-01
2023-04-18 00:00:00

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

6.2

Confidence

High

EPSS

0.002

Percentile

53.8%

JSON
Related for NVD:CVE-2023-28833
nextcloud1cve1hackerone1osv1cvelist1prion1openvas1redos1