#VU74347 Violation of Secure Design Principles in Nextcloud Enterprise Server and Nextcloud Server - CVE-2023-28833

Cybersecurity Help s.r.o.

Published: 2023-04-04

Vulnerability identifier: #VU74347

Vulnerability risk: Low

CVSSv4.0: 0.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-28833

CWE-ID: CWE-657

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Nextcloud Enterprise Server
Client/Desktop applications / Messaging software
Nextcloud Server
Client/Desktop applications / Messaging software

Vendor: Nextcloud

Description

The vulnerability allows a remote user to compromise the target system.

The vulnerability exists due to violation of secure design principles. A remote administrator has ability to control the filename when uploading a logo or favicon in the theming settings.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Nextcloud Enterprise Server: 23.0.0 - 25.0.3

Nextcloud Server: 24.0.0 - 25.0.3

External links
https://github.com/nextcloud/server/pull/36095
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-ch7f-px7m-hg25

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Violation of Secure Design Principles in Nextcloud Server and Enterprise Server