CVE-2023-26482OS Command Injection in Security-advisories

CWE-78OS Command Injection2 documents2 sources
Severity
8.8HIGHNVD
CNA9.0
EPSS
52.2%
top 2.07%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Server
Timeline
PublishedMar 30

Description

Nextcloud server is an open source home cloud implementation. In affected versions a missing scope validation allowed users to create workflows which are designed to be only available for administrators. Some workflows are designed to be RCE by invoking defined scripts, in order to generate PDFs, invoking webhooks or running scripts on the server. Due to this combination depending on the available apps the issue can result in a RCE at the end. It is recommended that the Nextcloud Server is upgra

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDnextcloud/nextcloud_server18.0.020.0.14.12+5
CVEListV5nextcloud/security-advisories< 24.0.10+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Scope of workflow operations is not validated in nextcloud server2023-03-30
CVE-2023-26482 — OS Command Injection | cvebase