Nextcloud server is an open source home cloud implementation. In affected versions a missing scope validation allowed users to create workflows which are designed to be only available for administrators. Some workflows are designed to be RCE by invoking defined scripts, in order to generate PDFs, invoking webhooks or running scripts on the server. Due to this combination depending on the available apps the issue can result in a RCE at the end. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. Users unable to upgrade should disable app `workflow_scripts` and `workflow_pdf_converter` as a mitigation.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-03-30T18:27:17.333Z
Updated: 2023-03-30T18:27:17.333Z
Reserved: 2023-02-23T23:22:58.574Z
Link: CVE-2023-26482
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-03-30T19:15:06.523
Modified: 2023-04-06T18:49:24.750
Link: CVE-2023-26482
JSON object: View
Redhat Information
No data.
CWE