CVE-2019-12739

Name of the Vulnerable Software and Affected Versions Nextcloud Extract add-on versions prior to 1.2.0

Description The issue allows for remote code execution via shell metacharacters in a RAR filename. This is achieved through the ajax/extractRar.php endpoint, specifically using the nameOfFile and directory parameters.

Recommendations For versions prior to 1.2.0, update to version 1.2.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the ajax/extractRar.php endpoint until the update is applied. Avoid using the nameOfFile and directory parameters in the affected endpoint until the issue is resolved.