PT-2023-2469 · Nextcloud+2 · Nextcloud Server+2
Ctuihu
·
Published
2023-03-27
·
Updated
2023-04-18
·
CVE-2023-28833
CVSS v2.0
10
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Nextcloud Server versions prior to 24.0.10
Nextcloud Server versions prior to 25.0.4
Description
The issue is related to the lack of restrictions on file uploads in the Nextcloud server, allowing administrators to upload a logo or favicon with a maliciously named file, potentially overwriting files in the appdata directory. This could be exploited by tricking an administrator into uploading such a file. The vulnerability may allow a remote attacker to compromise the target system by uploading arbitrary files.
Recommendations
For Nextcloud Server versions prior to 24.0.10, upgrade to version 24.0.10.
For Nextcloud Server versions prior to 25.0.4, upgrade to version 25.0.4.
As a temporary workaround for users unable to upgrade, avoid ingesting logo files from untrusted sources.
Exploit
Fix
Unrestricted File Upload
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Nextcloud Server
Red Os