CVE Catalog

CVE-2023-39959

LowCVSS 3.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.49%

38th percentile — higher than 38% of all known CVEs

Summary

Nextcloud Server, an open source cloud platform, has a vulnerability that allows unauthenticated users to send DAV requests revealing the existence of a calendar or address book for a given identifier. The issue affects versions from 25.0.0 to 25.0.8, 26.0.0 to 26.0.3, and 27.0.0 to 27.0.0.

Risk Assessment

Organizations may be exposed to the disclosure of information about existing calendar and address book resources, potentially leading to further attacks or privacy breaches.

Recommendation

It is recommended to upgrade to versions 25.0.9, 26.0.4, or 27.0.1, which contain patches for this vulnerability. No known workarounds are available.

Original NVD description (English source)

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.9, 26.0.4, and 27.0.1, unauthenticated users could send a DAV request which reveals whether a calendar or an address book with the given identifier exists for the victim. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS