CVE-2023-22472

Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link on a Windows computer. (e.g. in an email, chat link, etc). There are currently no known workarounds. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.2.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
GitHub_MCNA
5.3 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 33%
VendorProductVersion
nextclouddesktop
3.6.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/nextcloud/desktop/pull/5106
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4gfv-xqpx-42qj
https://github.com/nextcloud/desktop/pull/5106
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4gfv-xqpx-42qj