CVE-2021-32748Missing Authorization in Security-advisories

CWE-862Missing Authorization2 documents2 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 54.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Richdocuments
Timeline
PublishedJul 27

Description

Nextcloud Richdocuments in an open source self hosted online office. Nextcloud uses the WOPI ("Web Application Open Platform Interface") protocol to communicate with the Collabora Editor, the communication between these two services was not protected by a credentials or IP check. Whilst this does not result in gaining access to data that the user has not yet access to, it can result in a bypass of any enforced watermark on documents as described on the [Nextcloud Virtual Data Room](https://nextc

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDnextcloud/richdocuments4.0.04.2.0+1
CVEListV5nextcloud/security-advisories< 3.8.3+1

🔴Vulnerability Details

1
CVEList
WOPI API not protected by credentials/IP check2021-07-27
CVE-2021-32748 — Missing Authorization | cvebase