SB2023010907 - Multiple vulnerabilities in Nextcloud Deck

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023010907

SB2023010907 - Multiple vulnerabilities in Nextcloud Deck

Published: January 9, 2023

Security Bulletin ID SB2023010907
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Authorization bypass through user-controlled key (CVE-ID: CVE-2023-22471)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to authorization bypass through user-controlled key. A remote user can delete attachments of other users.


2) Resource exhaustion (CVE-ID: CVE-2023-22470)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.


3) Information disclosure (CVE-ID: CVE-2023-22469)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to deck card reference caching can leak data to unauthorized users.


Remediation

Install update from vendor's website.

References