Impact
When tricking Collabora to reuse a valid access token with a file id of another users file a copy of the file can be obtained without proper permission validation. Any user with access to Collabora can obtain the content of other users files.
Patches
It is recommended that the Nextcloud Office App (Collabora Integration) is updated to
7.0.2 (Nextcloud 25)
6.3.2 (Nextcloud 24)
5.0.10 (Nextcloud 23)
4.2.9 (Nextcloud 21-22)
3.8.7 (Nextcloud 15-20)
Workarounds
No workaround available
References
For more information
If you have any questions or comments about this advisory:
Impact
When tricking Collabora to reuse a valid access token with a file id of another users file a copy of the file can be obtained without proper permission validation. Any user with access to Collabora can obtain the content of other users files.
Patches
It is recommended that the Nextcloud Office App (Collabora Integration) is updated to
7.0.2 (Nextcloud 25)
6.3.2 (Nextcloud 24)
5.0.10 (Nextcloud 23)
4.2.9 (Nextcloud 21-22)
3.8.7 (Nextcloud 15-20)
Workarounds
No workaround available
References
For more information
If you have any questions or comments about this advisory: