CVE-2023-25159

CVSS V2 None CVSS V3 None

Description

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Office is a document collaboration app for the same platform. Nextcloud Server 24.0.x prior to 24.0.8 and 25.0.x prior to 25.0.1, Nextcloud Enterprise Server 24.0.x prior to 24.0.8 and 25.0.x prior to 25.0.1, and Nextcloud Office (Richdocuments) App 6.x prior to 6.3.1 and 7.x prior to 7.0.1 have previews accessible without a watermark. The download should be hidden and the watermark should get applied. This issue is fixed in Nextcloud Server 25.0.1 and 24.0.8, Nextcloud Enterprise Server 25.0.1 and 24.0.8, and Nextcloud Office (Richdocuments) App 7.0.1 (for 25) and 6.3.1 (for 24). No known workarounds are available.

Overview

CVE ID
CVE-2023-25159

Assigner
security-advisories@github.com

Vulnerability Status
Analyzed

Published Version
2023-02-13T17:15:11

Last Modified Date
2023-02-24T18:50:52

Weakness Enumerations

CWE	URL
NVD-CWE-noinfo	http://cwe.mitre.org/data/definitions/NVD-noinfo.html
CWE-284	http://cwe.mitre.org/data/definitions/284.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version Start	Version End
cpe:2.3:a:nextcloud:nextcloud_server::::::::	1	OR	24.0.4	24.0.8
cpe:2.3:a:nextcloud:nextcloud_server:24.0.2:-::::::	1	OR
cpe:2.3:a:nextcloud:nextcloud_server:25.0.0:::::::*	1	OR
cpe:2.3:a:nextcloud:richdocuments::::::::	1	OR	6.0.0	6.3.1
cpe:2.3:a:nextcloud:richdocuments:7.0.0:-::::::	1	OR

References

Reference URL	Reference Tags
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-92g2-h5jv-jjmg	Vendor Advisory
https://hackerone.com/reports/1745755	Permissions Required Third Party Advisory

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-25159
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25159

History

Created	Old Value	New Value	Data Type	Notes
2023-04-17 07:38:42				Added to TrackCVE
2023-04-17 07:38:44			Weakness Enumeration	new