System addressbooks can be modified by malicious trusted server

Description

Impact

When two server are registered as trusted servers for each other and successfully exchanged the share secrets, the malicious server could modify or delete VCards in the system addressbook on the origin server. This would impact the available and shown information in certain places, such as the user search and avatar menu. If a manipulated user modifies their own data in the personal settings the entry is fixed again.

Patches

It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2
It is recommended that the Nextcloud Enterprise Server is upgraded to 19.0.13.9, 20.0.14.14, 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7 or 26.0.2

Workarounds

• Remove all trusted servers in the “Administration” > “Sharing” settings …/index.php/settings/admin/sharing
• Afterwards trigger a recreation of the local system addressbook with the following occ dav:sync-system-addressbook, see the Using the occ command in our documentation.

References

• HackerOne
• PullRequest

For more information

If you have any questions or comments about this advisory:

• Create a post in nextcloud/security-advisories
• Customers: Open a support ticket at portal.nextcloud.com