CVE-2023-28645Improper Access Control in Security-advisories

CWE-284Improper Access Control2 documents2 sources
Severity
6.5MEDIUMNVD
CNA5.7
EPSS
0.1%
top 67.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Richdocuments
Timeline
PublishedMar 31

Description

Nextcloud richdocuments is a Nextcloud app integrating the office suit Collabora Online. In affected versions the secure view feature of the rich documents app can be bypassed by using unprotected internal API endpoint of the rich documents app. It is recommended that the Nextcloud Office app (richdocuments) is upgraded to 8.0.0-beta.1, 7.0.2 or 6.3.2. Users unable to upgrade may mitigate the issue by taking steps to restrict the ability to download documents. This includes ensuring that the `WO

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDnextcloud/richdocuments6.0.06.3.2+1
CVEListV5nextcloud/security-advisories< 6.3.2+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Secure view can be bypassed by using internal API endpoint in Nextcloud richdocuments2023-03-31
CVE-2023-28645 — Improper Access Control | cvebase