CVE Catalog

CVE-2023-39961

LowCVSS 3.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.47%

37th percentile — higher than 37% of all known CVEs

Summary

Nextcloud Server provides data storage for the Nextcloud cloud platform. In versions from 24.0.4 to 25.0.8, 26.0.3, and 27.0.0, users could add images inline into text files and download them, even if the folder containing the images did not have download permissions.

Risk Assessment

Organizations may be exposed to unauthorized access to images, potentially leading to data leaks or privacy violations.

Recommendation

It is recommended to upgrade to versions 25.0.9, 26.0.4, 27.0.1, or the corresponding Nextcloud Enterprise Server versions to patch this vulnerability.

Original NVD description (English source)

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 24.0.4 and prior to versions 25.0.9, 26.0.4, and 27.0.1, when a folder with images or an image was shared without download permissions, the user could add the image inline into a text file and download it. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS