PT-2025-21662 · Nextcloud · Nextcloud Server+1
Hannob
·
Published
2025-05-16
·
Updated
2025-09-30
·
CVE-2025-47794
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
Nextcloud Server versions prior to 29.0.13, 30.0.7, and 31.0.1
Nextcloud Enterprise Server versions prior to 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1
Description:
The issue allows an attacker on a multi-user system to read temporary files from Nextcloud running with a different user account, or run a symlink attack.
Recommendations:
For Nextcloud Server versions prior to 29.0.13, update to version 29.0.13 or later.
For Nextcloud Server versions prior to 30.0.7, update to version 30.0.7 or later.
For Nextcloud Server versions prior to 31.0.1, update to version 31.0.1 or later.
For Nextcloud Enterprise Server versions prior to 26.0.13.13, update to version 26.0.13.13 or later.
For Nextcloud Enterprise Server versions prior to 27.1.11.13, update to version 27.1.11.13 or later.
For Nextcloud Enterprise Server versions prior to 28.0.14.4, update to version 28.0.14.4 or later.
For Nextcloud Enterprise Server versions prior to 29.0.13, update to version 29.0.13 or later.
For Nextcloud Enterprise Server versions prior to 30.0.7, update to version 30.0.7 or later.
For Nextcloud Enterprise Server versions prior to 31.0.1, update to version 31.0.1 or later.
Exploit
Fix
LPE
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nextcloud Enterprise Server
Nextcloud Server