Main Vulnerability Database Vulnerabilities #VU74348

Improper Authentication in Nextcloud iOS App - CVE-2023-28647

Published: April 4, 2023

Vulnerability identifier: #VU74348

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-28647

CWE-ID: CWE-287

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Nextcloud

Affected software:
Nextcloud iOS App

Detailed vulnerability description

The vulnerability allows a local attacker to bypass authentication process.

The vulnerability exists due to an error when processing authentication requests in the App pin. An authenticated attacker with physical access to an unlocked device can enable the integration into the iOS Files app and bypass the Nextcloud pin protection.

How to mitigate CVE-2023-28647

Install updates from vendor's website.

Sources

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wjgg-2v4p-2gq6
https://github.com/nextcloud/ios/pull/2344

Improper Authentication in Nextcloud iOS App - CVE-2023-28647

Detailed vulnerability description

How to mitigate CVE-2023-28647

Sources

Please verify you're human