CVE-2023-48304 — Authorization Bypass Through User-Controlled Key in Server

CWE-639 — Authorization Bypass Through User-Controlled Key2 documents2 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 65.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Server Nextcloud Security-advisories

Timeline

PublishedNov 21

Description

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and starting in version 22.0.0 and prior to versions 22.2.10.16, 23.0.12.11, 24.0.12.7, 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Enterprise Server, an attacker could enable and disable the birthday calendar for any user on the same server. Nextcloud Server 25.0.11, 26.0.6, and 27.1.0 and Nextcloud Enterprise Server 2…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDnextcloud/nextcloud_server23.0.0 — 23.0.12.11+5

▶CVEListV5nextcloud/security-advisories6 versions+5

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Nextcloud Server vulnerable to attacker enabling/disabling birthday calendar for any user↗2023-11-21

▶