CVE-2023-28847

CWE-307CWE-94Code Injection3 documents3 sources
Severity
7.5HIGH
EPSS
0.7%
top 28.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Nextcloud ServerNextcloud Security-advisories
Timeline
PublishedApr 25
Latest updateApr 24

Description

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server 24.0.0 prior to 24.0.11 and 25.0.0 prior to 25.0.5; as well as Nextcloud Server Enterprise 23.0.0 prior to 23.0.12.6, 24.0.0 prior to 24.0.11, and 25.0.0 prior to 25.0.5; an attacker is not restricted in verifying passwords of share links so they can just start brute forcing the password. Nextcloud Server 24.0.11 and 25.0.5 and Nextcloud Enterprise Server 23.0.12.6, 24.0.11, and 2

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages2 packages

NVDnextcloud/nextcloud_server23.0.023.0.12.6+2
CVEListV5nextcloud/security-advisories >= 23.0.0, < 23.0.12.6, >= 24.0.0, < 24.0.11, >= 25.0.0, < 25.0.5+2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
OpenMetadata vulnerable to a SpEL Injection in `PUT /api/v1/events/subscriptions` (`GHSL-2023-251`)2024-04-24
CVEList
Nextcloud Server missing brute force protection for passwords of password protected share links2023-04-25
CVE-2023-28847 (HIGH CVSS 7.5) | Nextcloud Server is the file server | cvebase.io