CVE-2023-48301

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-48301

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-48301.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-48301

Aliases

GHSA-wgpw-qqq2-gwv6

Published

2023-11-21T21:26:21.288Z

Modified

2025-12-05T00:11:34.087376Z

Severity

3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L CVSS Calculator

Summary

Nextcloud Server HTML injection in search UI when selecting a circle with HTML in the display name

Details

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Server and Nextcloud Enterprise Server, an attacker could insert links into circles name that would be opened when clicking the circle name in a search filter. Nextcloud Server and Nextcloud Enterprise Server versions 25.0.13, 26.0.8, and 27.1.3 contain a fix for this issue. As a workaround, disable app circles.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/48xxx/CVE-2023-48301.json",
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Git / github.com/nextcloud/circles

Affected ranges

Type

GIT

Repo

https://github.com/nextcloud/circles

Events

Introduced

c747d7edb011325aa830df72ca422522432b15e7

Fixed

1fda5b6bc30309fa18b88e14a8a08da5844350f2

Database specific

{
    "versions": [
        {
            "introduced": "25.0.0"
        },
        {
            "fixed": "25.0.13"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/circles

Events

Introduced

f76ec21a7d6a7e0496e96317999fdb08e36ddd9a

Fixed

32c8b02f396f7b844c22a77a1d75996ab23493ad

Database specific

{
    "versions": [
        {
            "introduced": "26.0.0"
        },
        {
            "fixed": "26.0.8"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/circles

Events

Introduced

0fb3dbbc2b9aa6c4ca79c638d1530bf0b6914f1f

Fixed

48104d8f0783d5b18b9e8787080d8b04b86bc548

Database specific

{
    "versions": [
        {
            "introduced": "27.0.0"
        },
        {
            "fixed": "27.1.3"
        }
    ]
}

Affected versions

v25.*

v25.0.0

v25.0.1

v25.0.10

v25.0.10rc1

v25.0.11

v25.0.11rc1

v25.0.12

v25.0.13rc1

v25.0.13rc2

v25.0.1rc1

v25.0.2

v25.0.2rc1

v25.0.2rc2

v25.0.2rc3

v25.0.3

v25.0.3rc1

v25.0.3rc2

v25.0.4

v25.0.4rc1

v25.0.5

v25.0.5rc1

v25.0.6

v25.0.6rc1

v25.0.7

v25.0.7rc1

v25.0.8

v25.0.8rc1

v25.0.8rc2

v25.0.9

v25.0.9rc1

v25.0.9rc2

v26.*

v26.0.0

v26.0.1

v26.0.1rc1

v26.0.2

v26.0.2rc1

v26.0.3

v26.0.3rc1

v26.0.3rc2

v26.0.4

v26.0.4rc1

v26.0.4rc2

v26.0.5

v26.0.5rc1

v26.0.6

v26.0.6rc1

v26.0.7

v26.0.8rc1

v26.0.8rc2

v27.*

v27.0.0

v27.0.1

v27.0.1rc1

v27.0.1rc2

v27.0.2

v27.0.2rc1

v27.1.0

v27.1.0beta2

v27.1.0beta3

v27.1.0rc1

v27.1.0rc2

v27.1.0rc3

v27.1.0rc4

v27.1.1

v27.1.2

v27.1.2rc1

v27.1.3rc1

v27.1.3rc2

Git / github.com/nextcloud/server

Affected ranges

Type: GIT
Repo: https://github.com/nextcloud/server
Events: Introduced

20ea9a25353129b56d46951fe7d23939665ab2b2

Fixed

30fb8a53b04c623db368d29a83e8e1153a2d6b07

Affected versions

v25.*

v25.0.0

v25.0.1

v25.0.10

v25.0.10rc1

v25.0.11

v25.0.11rc1

v25.0.12

v25.0.13rc1

v25.0.13rc2

v25.0.1rc1

v25.0.2

v25.0.2rc1

v25.0.2rc2

v25.0.2rc3

v25.0.3

v25.0.3rc1

v25.0.3rc2

v25.0.4

v25.0.4rc1

v25.0.5

v25.0.5rc1

v25.0.6

v25.0.6rc1

v25.0.7

v25.0.7rc1

v25.0.8

v25.0.8rc1

v25.0.8rc2

v25.0.9

v25.0.9rc1

v25.0.9rc2