CVE-2023-28833 Unrestricted filenames for logo or favicon as admin in the theming settings in nextcloud server

🗓️ 30 Mar 2023 18:49:38Reported by GitHub_MType

Unrestricted logo/fav icon filenames in Nextcloud server theming setting

Reporter	Title	Published	Views	Family All 26
BDU FSTEC	The vulnerability of cloud-based software for creating and using Nextcloud storage solutions allows a hacker to gain unauthorized access to protected information.	27 Apr 202300:00	–	bdu_fstec
BDU FSTEC	The vulnerability of cloud-based software for creating and using Nextcloud data storage allows a attacker to cause a service failure.	27 Apr 202300:00	–	bdu_fstec
BDU FSTEC	The vulnerability of cloud-based software for creating and using Nextcloud data storage allows a hacker to induce a service failure.	27 Apr 202300:00	–	bdu_fstec
BDU FSTEC	The vulnerability of cloud-based software for creating and using Nextcloud data storage allows a hacker to execute arbitrary code.	27 Apr 202300:00	–	bdu_fstec
Circl	CVE-2023-28833	30 Mar 202322:35	–	circl
CNNVD	Nextcloud 代码问题漏洞	30 Mar 202300:00	–	cnnvd
CVE	CVE-2023-28833	30 Mar 202318:49	–	cve
EUVD	EUVD-2023-32465	3 Oct 202520:07	–	euvd
Nextcloud	Ability to control the filename when uploading a logo or favicon as admin in the theming settings	30 Mar 202308:23	–	nextcloud
Hacker One	Nextcloud: Ability to control the filename when uploading a logo or favicon on theming	22 Nov 202220:46	–	hackerone

[
  {
    "vendor": "nextcloud",
    "product": "security-advisories",
    "versions": [
      {
        "version": "< 24.0.10",
        "status": "affected"
      },
      {
        "version": ">= 25.0.0, < 25.0.4",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/nextcloud/security-advisories/security/advisories/GHSA-ch7f-px7m-hg25
github	www.github.com/nextcloud/server/pull/36095

30 Mar 2023 18:49Current

8.9High risk

Vulners AI Score8.9

CVSS 3.12.4

EPSS0.00537

CWE-22