CVE-2023-25821
MEDIUMNextcloud Server 24.0.4-24.0.6 and 25.0.0 - Improper Access Control via Reshare Permissions
Title source: llmDescription
Nextcloud is an Open Source private cloud software. Versions 24.0.4 and above, prior to 24.0.7, and 25.0.0 and above, prior to 25.0.1, contain Improper Access Control. Secure view for internal shares can be circumvented if reshare permissions are also given. This issue is patched in versions 24.0.7 and 25.0.1. No workaround is available.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7w6h-5qgw-4j94
Patch x_refsource_misc
https://github.com/nextcloud/server/pull/34502
Exploit, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1724016
Scores
CVSS v3
5.7
EPSS
0.0015
EPSS Percentile
35.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-284
Status
published
Products (2)
nextcloud/nextcloud_server
25.0.0 (2 CPE variants)
nextcloud/nextcloud_server
24.0.4 - 24.0.7 (2 CPE variants)
Published
Feb 25, 2023
Tracked Since
Feb 18, 2026