CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
EPSS
Percentile
42.5%
When tricking Collabora to reuse a valid access token with a file id of another users file a copy of the file can be obtained without proper permission validation. Any user with access to Collabora can obtain the content of other users files.
It is recommended that the Nextcloud Office App (Collabora Integration) is updated to
7.0.2 (Nextcloud 25)
6.3.2 (Nextcloud 24)
5.0.10 (Nextcloud 23)
4.2.9 (Nextcloud 21-22)
3.8.7 (Nextcloud 15-20)
No workaround available
If you have any questions or comments about this advisory: