Home > Vulnerability Database > CVE-2023-49791

Mend.io Vulnerability Database

CVE-2023-49791

Good to know:

Date: December 22, 2023

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when an attacker manages to get access to an active session of another user via another way, they could delete and modify workflows by sending calls directly to the API bypassing the password confirmation shown in the UI. Nextcloud Server versions 26.0.9 and 27.1.4 and Nextcloud Enterprise Server versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 contain a patch for this issue. No known workarounds are available.

Language: PHP

Severity Score

5.4

Related Resources (5)

Url: https://hackerone.com/reports/2120667

Url: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3f8p-6qww-2prr

Url: https://github.com/nextcloud/server/pull/41520

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-49791

Url: https://www.mend.io/vulnerability-database/CVE-2023-49791

Severity Score

5.4

Weakness Type (CWE)

Authentication Issues

CWE-287

Improper Access Control

CWE-284

Top Fix

Upgrade Version

Upgrade to version v26.0.9,v27.1.4

Learn More

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2023-49791

Good to know:

Date: December 22, 2023

Language: PHP

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?