Nextcloud system addressbooks can be modified by malicious trusted server
CVE-2023-35927

7.6HIGH

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
23 June 2023

What is CVE-2023-35927?

In certain versions of NextCloud Server and NextCloud Enterprise Server, an issue has been identified that allows a malicious server, listed as trusted, to manipulate or erase VCards in the originating server's address book. This misconfiguration may disrupt user experiences by affecting search results and avatar displays. Users attempting to rectify their data may inadvertently restore incorrect entries. Patches for this vulnerability are available in the latest versions, and administrators can implement a workaround by adjusting sharing settings and syncing the address book.

Affected Version(s)

security-advisories Nextcloud Server >= 25.0.0, < 25.0.7 < Nextcloud Server 25.0.0, 25.0.7

security-advisories Nextcloud Server >= 26.0.0, < 26.0.2 < Nextcloud Server 26.0.0, 26.0.2

security-advisories Nextcloud Enterprise Server >= 25.0.0, < 25.0.7 < Nextcloud Enterprise Server 25.0.0, 25.0.7

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/server/pull/38247
x_refsource_MISC
https://hackerone.com/reports/1976754
x_refsource_MISC

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.