CVE-2023-48304

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-48304
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and starting in version 22.0.0 and prior to versions 22.2.10.16, 23.0.12.11, 24.0.12.7, 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Enterprise Server, an attacker could enable and disable the birthday calendar for any user on the same server. Nextcloud Server 25.0.11, 26.0.6, and 27.1.0 and Nextcloud Enterprise Server 22.2.10.16, 23.0.12.11, 24.0.12.7, 25.0.11, 26.0.6, and 27.1.0 contain patches for this issue. No known workarounds are available.

4.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8jwv-c8c8-9fr3 Vendor Advisory
https://github.com/nextcloud/server/pull/40292 Issue Tracking Patch
https://hackerone.com/reports/2112973 Exploit Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8jwv-c8c8-9fr3 Vendor Advisory
https://github.com/nextcloud/server/pull/40292 Issue Tracking Patch
https://hackerone.com/reports/2112973 Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
History

21 Nov 2024, 08:31

Type Values Removed Values Added
References () https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8jwv-c8c8-9fr3 - Vendor Advisory () https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8jwv-c8c8-9fr3 - Vendor Advisory
References () https://github.com/nextcloud/server/pull/40292 - Issue Tracking, Patch () https://github.com/nextcloud/server/pull/40292 - Issue Tracking, Patch
References () https://hackerone.com/reports/2112973 - Exploit, Third Party Advisory () https://hackerone.com/reports/2112973 - Exploit, Third Party Advisory

01 Dec 2023, 15:08

Type Values Removed Values Added
CPE cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*
First Time Nextcloud nextcloud Server
Nextcloud
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 4.3
References () https://hackerone.com/reports/2112973 - () https://hackerone.com/reports/2112973 - Exploit, Third Party Advisory
References () https://github.com/nextcloud/server/pull/40292 - () https://github.com/nextcloud/server/pull/40292 - Issue Tracking, Patch
References () https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8jwv-c8c8-9fr3 - () https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8jwv-c8c8-9fr3 - Vendor Advisory

21 Nov 2023, 22:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-11-21 22:15

Updated : 2024-11-21 08:31

NVD link : CVE-2023-48304

Mitre link : CVE-2023-48304

CVE.ORG link : CVE-2023-48304

JSON object : View

Products Affected

nextcloud

  • nextcloud_server
CWE
CWE-639

Authorization Bypass Through User-Controlled Key