Lucene search
NvzH1:2112973HistoryAug 16, 2023 - 8:50 p.m.
Nextcloud: Enabling Birthday Contact to any user
2023-08-1620:50:07
nvz
hackerone.com
7
nextcloud
calendar settings
birthday contacts
unauthorized action
low privileges
Summary:
Was able to enable Birthday Contacts any User, Admin, SuperAdmin. from a low privileged user.
Steps To Reproduce:
- Navigate to Calendar.
- At the very bottom find calendar settings
- Click on
Enable Birthday Contacts - Intercept the following request
POST /remote.php/dav/calendars/{userId}
<x3:enable-birthday-calendar xmlns:x3="http://nextcloud.com/ns"/>
Impact
Users with low privileges enable the “Birthday Contacts” feature for any user, including Admins and SuperAdmins, within the Nextcloud application. By following a simple set of steps, an attacker could navigate to the Calendar section, access the calendar settings, enable the “Birthday Contacts” feature, and intercept a specific request to achieve this unauthorized action.
Related
prion
prion
Code injection
2023-11-21 22:15:00
cvelist
cvelist
osv
osv
CVE-2023-48304
2023-11-21 22:15:08
nextcloud
nextcloud
Can enable/disable birthday calendar for any user
2023-11-21 05:21:48
cve
cve
CVE-2023-48304
2023-11-21 22:15:08
nvd
nvd
CVE-2023-48304
2023-11-21 22:15:08
openvas
openvas
redos
redos
ROS-20240402-12
2024-04-02 00:00:00