5.4

CVE-2023-49791

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when an attacker manages to get access to an active session of another user via another way, they could delete and modify workflows by sending calls directly to the API bypassing the password confirmation shown in the UI. Nextcloud Server versions 26.0.9 and 27.1.4 and Nextcloud Enterprise Server versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 contain a patch for this issue. No known workarounds are available.

Data is provided by the National Vulnerability Database (NVD)
NextcloudNextcloud Server SwEditionenterprise Version >= 23.0.0 < 23.0.12.13
NextcloudNextcloud Server SwEditionenterprise Version >= 24.0.0 < 24.0.12.9
NextcloudNextcloud Server SwEditionenterprise Version >= 25.0.0 < 25.0.13.4
NextcloudNextcloud Server SwEdition- Version >= 26.0.0 < 26.0.9
NextcloudNextcloud Server SwEditionenterprise Version >= 26.0.0 < 26.0.9
NextcloudNextcloud Server SwEdition- Version >= 27.0.0 < 27.1.4
NextcloudNextcloud Server SwEditionenterprise Version >= 27.0.0 < 27.1.4
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.2% 0.423
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 5.4 2.8 2.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
security-advisories@github.com 5.4 2.8 2.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.