SB2023062328 - Multiple vulnerabilities in Nextcloud Server and Enterprise Server

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Open redirect (CVE-ID: CVE-2023-35171)

The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to improper sanitization of user-supplied data on "Unsupported browser" warning. A remote user can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

2) Improper access control (CVE-ID: CVE-2023-35927)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions when two servers are registered as trusted servers for each other and successfully exchanged the share secrets. A remote user can modify or delete VCards in the system addressbook on the origin server.

3) Improper Restriction of Excessive Authentication Attempts (CVE-ID: CVE-2023-35172)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to missing brute force protection within the password reset endpoint. A remote attacker can brute-force the password reset links.

4) Unprotected storage of credentials (CVE-ID: CVE-2023-35928)

The vulnerability allows a remote user to gain access to other users' credentials.

The vulnerability exists due to user scoped external storage can be used to gather credentials of other users. A remote administrator can get access to the login credentials of another user and take over their account.

5) Improper Restriction of Excessive Authentication Attempts (CVE-ID: CVE-2023-32320)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to missing brute force protection. A remote user can brute-force authentication on the system.

Remediation

Install update from vendor's website.

References

• https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h353-vvwv-j2r4
• https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h7f7-535f-7q87
• https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mjf5-p765-qmr6
• https://github.com/nextcloud/security-advisories/security/advisories/GHSA-637g-xp2c-qh5h
• https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qphh-6xh7-vffg
• https://github.com/nextcloud/server/pull/38274
• https://hackerone.com/reports/1918525