CVE-2023-28643

MEDIUM

Nextcloud <25.0.3, <24.0.9 - Info Disclosure

Title source: llm

Description

Nextcloud server is an open source home cloud implementation. In affected versions when a recipient receives 2 shares with the same name, while a memory cache is configured, the second share will replace the first one instead of being renamed to `{name} (2)`. It is recommended that the Nextcloud Server is upgraded to 25.0.3 or 24.0.9. Users unable to upgrade should avoid sharing 2 folders with the same name to the same user.

References (3)

[Vendor Advisory] https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhq4-4pr8-wm27

[Exploit, Issue Tracking] https://github.com/nextcloud/server/issues/34015

[Issue Tracking, Patch] https://github.com/nextcloud/server/pull/36047

Scores

CVSS v3 5.5

EPSS 0.0066

EPSS Percentile 71.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-706

Status published

Products (1)

nextcloud/nextcloud_server 24.0.0 - 24.0.9 (2 CPE variants)

Published Mar 30, 2023

Tracked Since Feb 18, 2026