CVE-2022-41970

CWE-284Improper Access ControlCWE-863Incorrect Authorization2 documents2 sources
Severity
5.3MEDIUM
EPSS
0.1%
top 64.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Nextcloud Server
Timeline
PublishedDec 1

Description

Nextcloud Server is an open source personal cloud server. Prior to versions 24.0.7 and 25.0.1, disabled download shares still allow download through preview images. Images could be downloaded and previews of documents (first page) can be downloaded without being watermarked. Versions 24.0.7 and 25.0.1 contain a fix for this issue. No known workarounds are available.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages2 packages

NVDnextcloud/nextcloud_server24.0.024.0.7+1
CVEListV5nextcloud/security-advisories< 24.0.7+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Nextcloud Server's disabled download shares still allow download through preview images2022-12-01
CVE-2022-41970 (MEDIUM CVSS 5.3) | Nextcloud Server is an open source | cvebase.io