#VU84544 Security features bypass in Nextcloud Calendar - CVE-2023-48308

Cybersecurity Help s.r.o.

Published: 2023-12-19

Vulnerability identifier: #VU84544

Vulnerability risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-48308

CWE-ID: CWE-254

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Nextcloud Calendar
Web applications / Modules and components for CMS

Vendor: Nextcloud

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to uncleared debug information. A remote user can gain access to stacktrace and internal paths of the server when generating an exception while editing a calendar appointment.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Nextcloud Calendar: 3.0.0

External links
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fv3c-qvjr-5rv8

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Security features bypass in Nextcloud Calendar app