CVE-2023-22472

2023-01-0914:15:10

Google

osv.dev

deck

organization tool

security vulnerability

nextcloud

windows

upgrade

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.1%

JSON

Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link on a Windows computer. (e.g. in an email, chat link, etc). There are currently no known workarounds. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.2.

CPENameOperatorVersion
desktopeq1.5.3-rc1
desktopeq0.0.2
desktopeq1.5.0-beta1
desktopeq1.8.0-rc1
desktopeq2.0.2-rc1
desktopeq3.1.0-rc2
desktopeq1.8.1-beta1
desktopeq2.5.0-rc2
desktopeq1.5.0-beta2
desktopeq1.8.0

Name	Operator	Version
desktop	eq	1.5.3-rc1
desktop	eq	0.0.2
desktop	eq	1.5.0-beta1
desktop	eq	1.8.0-rc1
desktop	eq	2.0.2-rc1
desktop	eq	3.1.0-rc2
desktop	eq	1.8.1-beta1
desktop	eq	2.5.0-rc2
desktop	eq	1.5.0-beta2
desktop	eq	1.8.0