CVE-2023-22472 — Cross-Site Request Forgery in Security-advisories

CWE-352 — Cross-Site Request Forgery2 documents2 sources

Severity

8.8HIGHNVD

CNA5.3

EPSS

0.3%

top 51.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Security-advisories Nextcloud Desktop

Timeline

PublishedJan 9

Description

Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link on a Windows computer. (e.g. in an email, chat link, etc). There are currently no known workarounds. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDnextcloud/desktop3.6.1

▶CVEListV5nextcloud/security-advisories3.6.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Nextcloud Deck Desktop Client is vulnerable to Cross-Site Request Forgery (CSRF) via malicious link↗2023-01-09

▶