Lucene search

NextcloudGHSA-8JWV-C8C8-9FR3

HistoryNov 21, 2023 - 5:21 a.m.

Can enable/disable birthday calendar for any user

2023-11-2105:21:48

github.com

nextcloud

security advisory

upgrade

hackerone

pullrequest

server

birthday calendar

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

20.0%

JSON

Description

Impact

An attacker could enable and disable the birthday calendar for any user on the same server.

Patches

It is recommended that the Nextcloud Server is upgraded to 25.0.11, 26.0.6 or 27.1.0
It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.10.16, 23.0.12.11, 24.0.12.7, 25.0.11, 26.0.6 or 27.1.0

Workarounds

No workaround available

References

For more information

If you have any questions or comments about this advisory:

Create a post in nextcloud/security-advisories
Customers: Open a support ticket at portal.nextcloud.com

References

github.com/nextcloud/server/pull/40292

hackerone.com/reports/2112973

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

20.0%

JSON

Related for GHSA-8JWV-C8C8-9FR3