Vulnerability Description
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when an attacker manages to get access to an active session of another user via another way, they could delete and modify workflows by sending calls directly to the API bypassing the password confirmation shown in the UI. Nextcloud Server versions 26.0.9 and 27.1.4 and Nextcloud Enterprise Server versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 contain a patch for this issue. No known workarounds are available.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Nextcloud Server | >= 23.0.0, < 23.0.12.13 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3f8p-6Vendor Advisory
- https://github.com/nextcloud/server/pull/41520Patch
- https://hackerone.com/reports/2120667Permissions Required
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3f8p-6Vendor Advisory
- https://github.com/nextcloud/server/pull/41520Patch
- https://hackerone.com/reports/2120667Permissions Required
FAQ
What is CVE-2023-49791?
CVE-2023-49791 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 2...
How severe is CVE-2023-49791?
CVE-2023-49791 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-49791?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server.