Skip to content

Ability to control the filename when uploading a logo or favicon as admin in the theming settings

Low
nickvergessen published GHSA-ch7f-px7m-hg25 Mar 30, 2023

Package

Server (Nextcloud)

Affected versions

>= 24.0.0, >= 25.0.0

Patched versions

24.0.10, 25.0.4
Server (Nextcloud Enterprise)
>= 23.0.0, >= 24.0.0, >= 25.0.0
23.0.14, 24.0.10, 25.0.4

Description

Impact

An admin was able to upload files with a provided file name into the appdata directory. Since admins of Nextcloud have remote code execution by default, there is no increased risk.

Patches

It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4
It is recommended that the Nextcloud Enterprise Server is upgraded to 23.0.14 or 24.0.10 or 25.0.4

Workarounds

  • No workaround available

References

For more information

If you have any questions or comments about this advisory:

Severity

Low
2.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L

CVE ID

CVE-2023-28833

Weaknesses

Credits