Vulnerability Details : CVE-2023-28844
Nextcloud server is an open source home cloud implementation. In affected versions users that should not be able to download a file can still download an older version and use that for uncontrolled distribution. This issue has been addressed in versions 24.0.10 and 25.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Vulnerability category: BypassGain privilege
Products affected by CVE-2023-28844
- cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-28844
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 27 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-28844
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST | |
5.7
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N |
2.1
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2023-28844
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-28844
-
https://github.com/nextcloud/server/pull/36113
Extend ViewOnly DAV plugin to versions endpoint by PVince81 · Pull Request #36113 · nextcloud/server · GitHubPatch
-
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-w47p-f66h-h2vj
User without download rights can download older version of that file · Advisory · nextcloud/security-advisories · GitHubVendor Advisory
Jump to