Home > Vulnerability Database > CVE-2023-26482

Mend.io Vulnerability Database

CVE-2023-26482

Good to know:

Date: March 30, 2023

Nextcloud server is an open source home cloud implementation. In affected versions a missing scope validation allowed users to create workflows which are designed to be only available for administrators. Some workflows are designed to be RCE by invoking defined scripts, in order to generate PDFs, invoking webhooks or running scripts on the server. Due to this combination depending on the available apps the issue can result in a RCE at the end. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. Users unable to upgrade should disable app `workflow_scripts` and `workflow_pdf_converter` as a mitigation.

Language: Swift

Severity Score

9.0

Related Resources (4)

Url: https://github.com/nextcloud/server/commit/5a06b50b10cc9278bbe68bbf897a0c4aeb0c4e60

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-26482

Url: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h3c9-cmh8-7qpj

Url: https://www.mend.io/vulnerability-database/CVE-2023-26482

Severity Score

9.0

Weakness Type (CWE)

OS Command Injections

CWE-78

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version v24.0.10,v25.0.4

Learn More

CVSS v3.1

Base Score:	9.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-26482

Good to know:

Date: March 30, 2023

Language: Swift

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?