CVE-2023-39961

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-39961

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-39961.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-39961

Aliases

GHSA-qhgm-w4gx-gvgp

Published

2023-08-10T17:18:40.903Z

Modified

2026-04-10T05:00:34.092133Z

Severity

3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Text does not respect "Allow download" permissions

Details

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 24.0.4 and prior to versions 25.0.9, 26.0.4, and 27.0.1, when a folder with images or an image was shared without download permissions, the user could add the image inline into a text file and download it. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available.

Database specific

{
    "cwe_ids": [
        "CWE-284"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/39xxx/CVE-2023-39961.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/nextcloud/server

Affected ranges

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

20ea9a25353129b56d46951fe7d23939665ab2b2

Fixed

fbc4a4aad97572da902fef0ee61cbd49bba58365

Introduced

20ea9a25353129b56d46951fe7d23939665ab2b2

Fixed

fbc4a4aad97572da902fef0ee61cbd49bba58365

Introduced

62cfd3b4c9ff4d8cdbbe6dcc8b63a1085bb94e3d

Fixed

318ac2714fafa63dcd90805a5cb8ee9d60b58f53

Introduced

62cfd3b4c9ff4d8cdbbe6dcc8b63a1085bb94e3d

Fixed

318ac2714fafa63dcd90805a5cb8ee9d60b58f53

Introduced

Last affected

add4e4365a4040d2e4e6aa79c0d03c3edd78583c

Introduced

Last affected

add4e4365a4040d2e4e6aa79c0d03c3edd78583c

Database specific

{
    "versions": [
        {
            "introduced": "25.0.0"
        },
        {
            "fixed": "25.0.9"
        },
        {
            "introduced": "25.0.0"
        },
        {
            "fixed": "25.0.9"
        },
        {
            "introduced": "26.0.0"
        },
        {
            "fixed": "26.0.4"
        },
        {
            "introduced": "26.0.0"
        },
        {
            "fixed": "26.0.4"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "27.0.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "27.0.0"
        }
    ]
}

Affected versions

v1.*

v1.0.0beta1

v11.*

v11.0.0

v11.0RC2

v12.*

v12.0.0beta1

v12.0.0beta2

v12.0.0beta3

v12.0.0beta4

v13.*

v13.0.0RC1

v13.0.0beta1

v13.0.0beta2

v13.0.0beta3

v13.0.0beta4

v14.*

v14.0.0RC1

v14.0.0RC2

v14.0.0beta1

v14.0.0beta2

v14.0.0beta3

v14.0.0beta4

v15.*

v15.0.0RC1

v15.0.0beta1

v15.0.0beta2

v16.*

v16.0.0RC1

v16.0.0alpha1

v16.0.0beta1

v16.0.0beta2

v16.0.0beta3

v17.*

v17.0.0beta1

v17.0.0beta2

v17.0.0beta3

v17.0.0beta4

v18.*

v18.0.0RC1

v18.0.0beta1

v18.0.0beta2

v18.0.0beta3

v18.0.0beta4

v19.*

v19.0.0RC1

v19.0.0RC2

v19.0.0beta1

v19.0.0beta2

v19.0.0beta3

v19.0.0beta4

v19.0.0beta5

v19.0.0beta6

v19.0.0beta7

v20.*

v20.0.0RC1

v20.0.0beta1

v20.0.0beta2

v20.0.0beta3

v20.0.0beta4

v21.*

v21.0.0beta1

v21.0.0beta2

v21.0.0beta3

v21.0.0beta4

v21.0.0beta5

v21.0.0beta6

v21.0.0beta7

v21.0.0beta8

v22.*

v22.0.0beta1

v22.0.0beta2

v22.0.0beta4

v22.0.0beta5

v22.0.0rc1

v23.*

v23.0.0beta1

v23.0.0beta2

v23.0.0beta3

v24.*

v24.0.0beta1

v24.0.0beta2

v24.0.0beta3

v24.0.0rc1

v25.*

v25.0.0

v25.0.0beta1

v25.0.0beta2

v25.0.0beta3

v25.0.0beta4

v25.0.0beta5

v25.0.0beta6

v25.0.0beta7

v25.0.1

v25.0.1rc1

v25.0.2

v25.0.2rc1

v25.0.2rc2

v25.0.2rc3

v25.0.3

v25.0.3rc1

v25.0.3rc2

v25.0.4

v25.0.4rc1

v25.0.5

v25.0.5rc1

v25.0.6

v25.0.6rc1

v25.0.7

v25.0.7rc1

v25.0.8

v25.0.8rc1

v25.0.8rc2

v25.0.9rc1

v25.0.9rc2

v26.*

v26.0.0

v26.0.0beta1

v26.0.0beta2

v26.0.0beta3

v26.0.0beta4

v26.0.0beta5

v26.0.0rc1

v26.0.1

v26.0.1rc1

v26.0.2

v26.0.2rc1

v26.0.3

v26.0.3rc1

v26.0.3rc2

v26.0.4rc1

v26.0.4rc2

v27.*

v27.0.0

v27.0.0beta1

v27.0.0beta2

v27.0.0rc1

v27.0.0rc2

v27.0.0rc3

v27.0.0rc4

v3.*

v3.0

v4.*

v4.0.0

v4.0.0RC

v4.0.0RC2

v4.0.0beta

v4.0.1

v4.0.4

v4.0.5

v4.0.6

v4.5.0

v4.5.0RC1

v4.5.0RC2

v4.5.0RC3

v4.5.0beta3

v4.5.0beta4

v5.*

v5.0.0

v5.0.0RC1

v5.0.0RC2

v5.0.0RC3

v5.0.0alpha1

v5.0.0beta1

v5.0.0beta2

v6.*

v6.0.0RC1

v6.0.0RC2

v6.0.0alpha2

v6.0.0beta2

v6.0.0beta3

v6.0.0beta4

v6.0.0beta5

v7.*

v7.0.0alpha2

v7.0.0beta1

v8.*

v8.0.0

v8.0.0RC1

v8.0.0RC2

v8.0.0alpha1

v8.0.0alpha2

v8.0.0beta1

v8.0.0beta2

v8.1.0alpha1

v8.1.0alpha2

v8.1.0beta1

v8.1.0beta2

v8.1RC2

v8.2RC1

v8.2beta1

v9.*

v9.0.0beta2

v9.0beta1

v9.1.0beta1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-39961.json"

Git / github.com/nextcloud/text

Affected ranges

Type

GIT

Repo

https://github.com/nextcloud/text

Events

Introduced

b610140d60b978131bb4c4bf24c383946b9f8bae

Fixed

3930f6b81e8f6285710dce808e2338b0fb504f4f

Database specific

{
    "versions": [
        {
            "introduced": "25.0.0"
        },
        {
            "fixed": "25.0.9"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/text

Events

Introduced

3fce0e2feb1e6528a77a441610063051b77cfdde

Fixed

94b8cc5a1612568d231c710339c211e5022afd67

Database specific

{
    "versions": [
        {
            "introduced": "27.0.0"
        },
        {
            "fixed": "27.0.1"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/text

Events

Introduced

18cce808c81d44dbfec09832c994ebcf28d37757

Fixed

fded8a652bb9dd9015f0819992ee5ff216a3d3fb

Database specific

{
    "versions": [
        {
            "introduced": "26.0.0"
        },
        {
            "fixed": "26.0.4"
        }
    ]
}

Affected versions

v25.*

v25.0.0

v25.0.0rc4

v25.0.0rc5

v25.0.1

v25.0.1rc1

v25.0.2

v25.0.2rc1

v25.0.2rc2

v25.0.2rc3

v25.0.3

v25.0.3rc1

v25.0.3rc2

v25.0.4

v25.0.4rc1

v25.0.5

v25.0.5rc1

v25.0.6

v25.0.6rc1

v25.0.7

v25.0.7rc1

v25.0.8

v25.0.8rc1

v25.0.8rc2

v25.0.9rc1

v25.0.9rc2

v26.*

v26.0.0

v26.0.1

v26.0.1rc1

v26.0.2

v26.0.2rc1

v26.0.3

v26.0.3rc1

v26.0.3rc2

v26.0.4rc1

v26.0.4rc2

v27.*

v27.0.0

v27.0.1rc1

v27.0.1rc2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-39961.json"