PT-2023-2469 · Nextcloud+2 · Nextcloud Server+2

Ctuihu

Publicado

2023-03-27

Atualizado

2023-04-18

CVE-2023-28833

CVSS v2.0

Alta

Vetor

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Nextcloud Server versions prior to 24.0.10 Nextcloud Server versions prior to 25.0.4

Description The issue is related to the lack of restrictions on file uploads in the Nextcloud server, allowing administrators to upload a logo or favicon with a maliciously named file, potentially overwriting files in the appdata directory. This could be exploited by tricking an administrator into uploading such a file. The vulnerability may allow a remote attacker to compromise the target system by uploading arbitrary files.

Recommendations For Nextcloud Server versions prior to 24.0.10, upgrade to version 24.0.10. For Nextcloud Server versions prior to 25.0.4, upgrade to version 25.0.4. As a temporary workaround for users unable to upgrade, avoid ingesting logo files from untrusted sources.

Exploit

Correção

Unrestricted File Upload

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-434CWE-22

Identificadores relacionados

ALT-PU-2023-1517

ALT-PU-2023-1547

BDU:2023-02259

CVE-2023-28833

GHSA-CH7F-PX7M-HG25

Produtos afetados

Alt Linux

Nextcloud Server

Red Os

PT-2023-2469 · Nextcloud+2 · Nextcloud Server+2

CVE-2023-28833

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 9