CVE-2023-48304

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and starting in version 22.0.0 and prior to versions 22.2.10.16, 23.0.12.11, 24.0.12.7, 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Enterprise Server, an attacker could enable and disable the birthday calendar for any user on the same server. Nextcloud Server 25.0.11, 26.0.6, and 27.1.0 and Nextcloud Enterprise Server 22.2.10.16, 23.0.12.11, 24.0.12.7, 25.0.11, 26.0.6, and 27.1.0 contain patches for this issue. No known workarounds are available.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
GitHub_MCNA
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 35%
VendorProductVersion
nextcloudnextcloud_server
22.0.0 ≤
𝑥
≤ 22.2.10.16
nextcloudnextcloud_server
23.0.0 ≤
𝑥
< 23.0.12.11
nextcloudnextcloud_server
24.0.0 ≤
𝑥
< 24.0.12.7
nextcloudnextcloud_server
25.0.0 ≤
𝑥
< 25.0.11
nextcloudnextcloud_server
25.0.0 ≤
𝑥
< 25.0.11
nextcloudnextcloud_server
26.0.0 ≤
𝑥
< 26.0.6
nextcloudnextcloud_server
26.0.0 ≤
𝑥
< 26.0.6
nextcloudnextcloud_server
27.0.0 ≤
𝑥
< 27.1.0
nextcloudnextcloud_server
27.0.0 ≤
𝑥
< 27.1.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8jwv-c8c8-9fr3
https://github.com/nextcloud/server/pull/40292
https://hackerone.com/reports/2112973
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8jwv-c8c8-9fr3
https://github.com/nextcloud/server/pull/40292
https://hackerone.com/reports/2112973