CVE-2023-25159 — LOW (2.3) — White Hats Nepal

Q: How severe is CVE-2023-25159?

CVE-2023-25159 has been rated LOW with a CVSS base score of 2.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-25159?

Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server, Nextcloud Richdocuments.

Vulnerability Description

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Office is a document collaboration app for the same platform. Nextcloud Server 24.0.x prior to 24.0.8 and 25.0.x prior to 25.0.1, Nextcloud Enterprise Server 24.0.x prior to 24.0.8 and 25.0.x prior to 25.0.1, and Nextcloud Office (Richdocuments) App 6.x prior to 6.3.1 and 7.x prior to 7.0.1 have previews accessible without a watermark. The download should be hidden and the watermark should get applied. This issue is fixed in Nextcloud Server 25.0.1 and 24.0.8, Nextcloud Enterprise Server 25.0.1 and 24.0.8, and Nextcloud Office (Richdocuments) App 7.0.1 (for 25) and 6.3.1 (for 24). No known workarounds are available.

CVSS Score

2.3

LOW

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Nextcloud	Nextcloud Server	>= 24.0.4, <= 24.0.8
Nextcloud	Richdocuments	>= 6.0.0, < 6.3.1

Related Weaknesses (CWE)

CWE-284

References

https://github.com/nextcloud/richdocuments/pull/2579Broken Link
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-92g2-hVendor Advisory
https://github.com/nextcloud/server/pull/34799Broken Link
https://hackerone.com/reports/1745755Permissions RequiredThird Party Advisory
https://github.com/nextcloud/richdocuments/pull/2579Broken Link
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-92g2-hVendor Advisory
https://github.com/nextcloud/server/pull/34799Broken Link
https://hackerone.com/reports/1745755Permissions RequiredThird Party Advisory

FAQ

What is CVE-2023-25159?

CVE-2023-25159 is a vulnerability with a CVSS score of 2.3 (LOW). Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Office is a document collaboration app for the same platform. Nextcloud Server 24.0.x pri...

How severe is CVE-2023-25159?

CVE-2023-25159 has been rated LOW with a CVSS base score of 2.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-25159?

Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server, Nextcloud Richdocuments.