CVE-2023-25817

CWE-281CWE-732Incorrect Permission Assignment2 documents2 sources
Severity
8.1HIGH
EPSS
0.2%
top 63.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Nextcloud ServerNextcloud Security-advisories
Timeline
PublishedMar 27

Description

Nextcloud server is an open source, personal cloud implementation. In versions from 24.0.0 and before 24.0.9 a user could escalate their permissions to delete files they were not supposed to deletable but only viewed or downloaded. This issue has been addressed andit is recommended that the Nextcloud Server is upgraded to 24.0.9. There are no known workarounds for this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:LExploitability: 2.1 | Impact: 1.4

Affected Packages2 packages

NVDnextcloud/nextcloud_server24.0.024.0.9
CVEListV5nextcloud/security-advisories>= 24.0.0, < 24.0.9

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Delete permissions are not saved when creating public share in Nextcloud server2023-03-27
CVE-2023-25817 (HIGH CVSS 8.1) | Nextcloud server is an open source | cvebase.io