CVE-2024-37315

Name of the Vulnerable Software and Affected Versions Nextcloud Server versions prior to 26.0.12 Nextcloud Server versions prior to 27.1.7 Nextcloud Server versions prior to 28.0.3 Nextcloud Enterprise Server versions prior to 23.0.12.16 Nextcloud Enterprise Server versions prior to 24.0.12.12 Nextcloud Enterprise Server versions prior to 25.0.13.6 Nextcloud Enterprise Server versions prior to 26.0.12 Nextcloud Enterprise Server versions prior to 27.1.7 Nextcloud Enterprise Server versions prior to 28.0.3

Description The issue is related to the files versions() function in Nextcloud Server, which allows an attacker with read-only access to a file to restore older versions of a document when the files versions app is enabled. This can be exploited by a remote attacker.

Recommendations Upgrade Nextcloud Server to version 26.0.12 Upgrade Nextcloud Server to version 27.1.7 Upgrade Nextcloud Server to version 28.0.3 Upgrade Nextcloud Enterprise Server to version 23.0.12.16 Upgrade Nextcloud Enterprise Server to version 24.0.12.12 Upgrade Nextcloud Enterprise Server to version 25.0.13.6 Upgrade Nextcloud Enterprise Server to version 26.0.12 Upgrade Nextcloud Enterprise Server to version 27.1.7 Upgrade Nextcloud Enterprise Server to version 28.0.3 As a temporary workaround, consider disabling the files versions app until a patch is available.