4.4

CVE-2023-28646

App lockout in nextcloud Android app can be bypassed via thirdparty apps

App pin of the Android app can be bypassed via thirdparty apps generating deep links

Nextcloud android is an android app for interfacing with the nextcloud home server ecosystem. In versions from 3.7.0 and before 3.24.1 an attacker that has access to the unlocked physical device can bypass the Nextcloud Android Pin/passcode protection via a thirdparty app. This allows to see meta information like sharer, sharees and activity of files. It is recommended that the Nextcloud Android app is upgraded to 3.24.1. There are no known workarounds for this vulnerability.
Mögliche Gegenmaßnahme
Android: * No workaround available
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NextcloudNextcloud SwPlatformandroid Version >= 3.7.0 < 3.24.1
Weitere Schwachstelleninformationen
SystemNextcloud App
Produkt Android
Version >= 3.7.0, < 3.24.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.06% 0.178
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 2.4 0.9 1.4
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com 4.4 0.3 3.7
CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
CWE-281 Improper Preservation of Permissions

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.