Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-28834

Good to know:

icon

Date: April 3, 2023

Nextcloud Server is an open source personal cloud server. Nextcloud Server 24.0.0 until 24.0.6 and 25.0.0 until 25.0.4, as well as Nextcloud Enterprise Server 23.0.0 until 23.0.11, 24.0.0 until 24.0.6, and 25.0.0 until 25.0.4, have an information disclosure vulnerability. A user was able to get the full data directory path of the Nextcloud server from an API endpoint. By itself this information is not problematic as it can also be guessed for most common setups, but it could speed up other unknown attacks in the future if the information is known. Nextcloud Server 24.0.6 and 25.0.4 and Nextcloud Enterprise Server 23.0.11, 24.0.6, and 25.0.4 contain patches for this issue. There are no known workarounds.

Language: PHP

Severity Score

Related Resources (7)

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5w64-6c42-rgcv
https://github.com/nextcloud/server/issues/33883
https://github.com/nextcloud/server/pull/36094
https://nvd.nist.gov/vuln/detail/CVE-2023-28834
https://hackerone.com/reports/1690510
https://github.com/nextcloud/server/commit/c24884d014cb705b64b45af1a41a8b8cc5669121
https://www.mend.io/vulnerability-database/CVE-2023-28834

Severity Score

Weakness Type (CWE)

Improper Removal of Sensitive Information Before Storage or Transfer

CWE-212

Top Fix

icon

Upgrade Version

Upgrade to version v24.0.10,v25.0.4

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us