U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2023-49791

Change History

New CVE Received by NIST 12/22/2023 12:15:08 PM

Action Type Old Value New Value
Added CVSS V3.1

								
							
							
						
GitHub, Inc. AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Added CWE

								
							
							
						
GitHub, Inc. CWE-284
Added CWE

								
							
							
						
GitHub, Inc. CWE-287
Added Description

								
							
							
						
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when an attacker manages to get access to an active session of another user via another way, they could delete and modify workflows by sending calls directly to the API bypassing the password confirmation shown in the UI. Nextcloud Server versions 26.0.9 and 27.1.4 and Nextcloud Enterprise Server versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 contain a patch for this issue. No known workarounds are available.
Added Reference

								
							
							
						
GitHub, Inc. https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3f8p-6qww-2prr [No types assigned]
Added Reference

								
							
							
						
GitHub, Inc. https://github.com/nextcloud/server/pull/41520 [No types assigned]
Added Reference

								
							
							
						
GitHub, Inc. https://hackerone.com/reports/2120667 [No types assigned]