CVE-2023-28844

CWE-284 — Improper Access Control2 documents2 sources

Severity

6.5MEDIUM

EPSS

0.3%

top 43.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Security-advisories Nextcloud Nextcloud Server

Timeline

PublishedMar 31

Description

Nextcloud server is an open source home cloud implementation. In affected versions users that should not be able to download a file can still download an older version and use that for uncontrolled distribution. This issue has been addressed in versions 24.0.10 and 25.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:NExploitability: 2.1 | Impact: 3.6

Affected Packages2 packages

▶NVDnextcloud/nextcloud_server24.0.4 — 24.0.10+1

▶CVEListV5nextcloud/security-advisories< 24.0.10+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

User without download rights can download older version of that file in nextcloud server↗2023-03-31

▶