Users can set up workflows using restricted and invisible system tags
Package
Files automated tagging
(Nextcloud)
Affected versions
>= 1.11.0, >= 1.12.0, >= 1.13.0, >= 1.14.0, >= 1.15.0, >= 1.16.0
Patched versions
1.11.1, 1.12.1, 1.13.1, 1.14.2, 1.15.3, 1.16.1
Server
(Nextcloud)
>= 24.0.0, >= 25.0.0
24.0.11, 25.0.5
Server
(Nextcloud Enterprise)
>= 21.0.0, >= 22.0.0, >= 23.0.0, >= 24.0.0, >= 25.0.0
21.0.9.11, 22.2.10.11, 23.0.12.6, 24.0.11, 25.0.5
Impact
Depending on the set up tags and other workflows this issue can be used to limit access of others or being able to grant them access when there are system tag based files access control or files retention rules.
Patches
It is recommended that the Nextcloud Server is upgraded to 24.0.11 or 25.0.5
It is recommended that the Nextcloud Enterprise Server is upgraded to 21.0.9.11, 22.2.10.11, 23.0.12.6, 24.0.11 or 25.0.5
It is recommended that the Nextcloud Files automated tagging app is upgraded to 1.11.1, 1.12.1, 1.13.1, 1.14.2, 1.15.3 or 1.16.1
Workarounds
References
For more information
If you have any questions or comments about this advisory: