9

CVE-2023-26482

Warning

Nextcloud server is an open source home cloud implementation. In affected versions a missing scope validation allowed users to create workflows which are designed to be only available for administrators. Some workflows are designed to be RCE by invoking defined scripts, in order to generate PDFs, invoking webhooks or running scripts on the server. Due to this combination depending on the available apps the issue can result in a RCE at the end. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. Users unable to upgrade should disable app `workflow_scripts` and `workflow_pdf_converter` as a mitigation.

Data is provided by the National Vulnerability Database (NVD)
NextcloudNextcloud Server SwEditionenterprise Version >= 18.0.0 < 20.0.14.12
NextcloudNextcloud Server SwEditionenterprise Version >= 21.0.0 < 21.0.9.10
NextcloudNextcloud Server SwEditionenterprise Version >= 22.0.0 < 22.2.10.10
NextcloudNextcloud Server SwEditionenterprise Version >= 23.0.0 < 23.0.12.5
NextcloudNextcloud Server SwEdition- Version >= 24.0.0 < 24.0.10
NextcloudNextcloud Server SwEditionenterprise Version >= 24.0.0 < 24.0.10
NextcloudNextcloud Server SwEdition- Version >= 25.0.0 < 25.0.4
NextcloudNextcloud Server SwEditionenterprise Version >= 25.0.0 < 25.0.4
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 65.51% 0.984
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com 9 2.3 6
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.