Improper Authentication in Nextcloud iOS App - CVE-2023-28647
Published: April 4, 2023
Vulnerability identifier: #VU74348
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:P/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-28647
CWE-ID: CWE-287
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Nextcloud iOS App
Nextcloud iOS App
Software vendor:
Nextcloud
Nextcloud
Description
The vulnerability allows a local attacker to bypass authentication process.
The vulnerability exists due to an error when processing authentication requests in the App pin. An authenticated attacker with physical access to an unlocked device can enable the integration into the iOS Files app and bypass the Nextcloud pin protection.
Remediation
Install updates from vendor's website.