CVE-2023-49791

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-49791
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-49791.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-49791
Related
  • GHSA-3f8p-6qww-2prr
Published
2023-12-22T17:15:08Z
Modified
2025-01-14T12:14:19.451853Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CVSS Calculator
Summary
[none]
Details

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when an attacker manages to get access to an active session of another user via another way, they could delete and modify workflows by sending calls directly to the API bypassing the password confirmation shown in the UI. Nextcloud Server versions 26.0.9 and 27.1.4 and Nextcloud Enterprise Server versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 contain a patch for this issue. No known workarounds are available.

References

Affected packages

Git / github.com/nextcloud/server

Affected ranges

Type
GIT
Repo
https://github.com/nextcloud/server
Events

Affected versions

v26.*

v26.0.0
v26.0.1
v26.0.1rc1
v26.0.2
v26.0.2rc1
v26.0.3
v26.0.3rc1
v26.0.3rc2
v26.0.4
v26.0.4rc1
v26.0.4rc2
v26.0.5
v26.0.5rc1
v26.0.6
v26.0.6rc1
v26.0.7
v26.0.8
v26.0.8rc1
v26.0.8rc2
v26.0.9rc1