Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nvd[email protected]NVD:CVE-2023-49791
HistoryDec 22, 2023 - 5:15 p.m.

CVE-2023-49791

2023-12-2217:15:08
CWE-287
CWE-284
[email protected]
web.nvd.nist.gov
nextcloud
data storage
vulnerability

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

0.001 Low

EPSS

Percentile

21.6%

JSON

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when an attacker manages to get access to an active session of another user via another way, they could delete and modify workflows by sending calls directly to the API bypassing the password confirmation shown in the UI. Nextcloud Server versions 26.0.9 and 27.1.4 and Nextcloud Enterprise Server versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 contain a patch for this issue. No known workarounds are available.

Affected configurations

NVD
Node
nextcloudnextcloud_serverRange23.0.023.0.12.13enterprise
OR
nextcloudnextcloud_serverRange24.0.024.0.12.9enterprise
OR
nextcloudnextcloud_serverRange25.0.025.0.13.4enterprise
OR
nextcloudnextcloud_serverRange26.0.026.0.9-
OR
nextcloudnextcloud_serverRange26.0.026.0.9enterprise
OR
nextcloudnextcloud_serverRange27.0.027.1.4-
OR
nextcloudnextcloud_serverRange27.0.027.1.4enterprise

Related

prion 1
cve 1
osv 1
nextcloud 1
hackerone 1
cvelist 1
openvas 1
redos 1
prion
prion
Design/Logic Flaw
2023-12-22 17:15:00
cve
cve
CVE-2023-49791
2023-12-22 17:15:08
osv
osv
CVE-2023-49791
2023-12-22 17:15:08
nextcloud
nextcloud
Workflows do not require password confirmation on API level
2023-12-18 08:26:24
hackerone
hackerone
Nextcloud: Bypass password confirmation via Context-dependent access control (CDCA)
2023-08-22 21:46:19
cvelist
cvelist
CVE-2023-49791 Workflows do not require password confirmation on API level
2023-12-22 16:26:28
openvas
openvas
Nextcloud Server Multiple Vulnerabilities (GHSA-3f8p-6qww-2prr, GHSA-5j2p-q736-hw98)
2023-12-20 00:00:00
redos
redos
ROS-20240627-06
2024-06-27 00:00:00

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

0.001 Low

EPSS

Percentile

21.6%

JSON
Related for NVD:CVE-2023-49791
prion1cve1osv1nextcloud1hackerone1cvelist1openvas1redos1