CVE-2023-49791

CWE-284Improper Access ControlCWE-287Improper Authentication2 documents2 sources
Severity
5.4MEDIUM
EPSS
0.2%
top 57.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Nextcloud ServerNextcloud Security-advisories
Timeline
PublishedDec 22

Description

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when an attacker manages to get access to an active session of another user via another way, they could delete and modify workflows by sending calls directly to the API bypassing the password confirmation shown in the UI. Nextcloud Server versions

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

NVDnextcloud/nextcloud_server23.0.023.0.12.13+4
CVEListV5nextcloud/security-advisories5 versions+4

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Workflows do not require password confirmation on API level2023-12-22
CVE-2023-49791 (MEDIUM CVSS 5.4) | Nextcloud Server provides data stor | cvebase.io