Skip to content

CSRF vulnerability in Nextcloud Desktop Client on Windows when clicking malicious link

Moderate
nickvergessen published GHSA-4gfv-xqpx-42qj Jan 9, 2023

Package

Desktop (Nextcloud)

Affected versions

3.6.1

Patched versions

3.6.2

Description

Impact

It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link on a Windows computer. (e.g. in an email, chat link, etc)

Patches

It is recommended that the Nextcloud Desktop client is upgraded to 3.6.2

Workarounds

No workaround available

References

For more information

If you have any questions or comments about this advisory:

Severity

Moderate
5.3
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CVE ID

CVE-2023-22472

Weaknesses