CVE-2023-39961

CVSS V2 None CVSS V3 None

Description

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 24.0.4 and prior to versions 25.0.9, 26.0.4, and 27.0.1, when a folder with images or an image was shared without download permissions, the user could add the image inline into a text file and download it. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available.

Overview

CVE ID
CVE-2023-39961

Assigner
security-advisories@github.com

Vulnerability Status
Analyzed

Published Version
2023-08-10T18:15:10

Last Modified Date
2023-08-16T18:35:46

Weakness Enumerations

CWE	URL
CWE-284	http://cwe.mitre.org/data/definitions/284.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version Start	Version End
cpe:2.3:a:nextcloud:nextcloud_server:::::-:::*	1	OR	25.0.0	25.0.9
cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*	1	OR	25.0.0	25.0.9
cpe:2.3:a:nextcloud:nextcloud_server:::::-:::*	1	OR	26.0.0	26.0.4
cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*	1	OR	26.0.0	26.0.4
cpe:2.3:a:nextcloud:nextcloud_server:27.0.0::::-:::	1	OR
cpe:2.3:a:nextcloud:nextcloud_server:27.0.0::::enterprise:::	1	OR

References

Reference URL	Reference Tags
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qhgm-w4gx-gvgp	Vendor Advisory
https://github.com/nextcloud/text/pull/4481	Patch
https://hackerone.com/reports/1965156	Permissions Required

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-39961
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39961

History

Created	Old Value	New Value	Data Type	Notes
2023-09-06 03:30:53				Added to TrackCVE
2023-09-06 03:30:55			Weakness Enumeration	new