CVE-2023-28646

MEDIUM

Nextcloud android <3.24.1 - Info Disclosure

Title source: llm

Description

Nextcloud android is an android app for interfacing with the nextcloud home server ecosystem. In versions from 3.7.0 and before 3.24.1 an attacker that has access to the unlocked physical device can bypass the Nextcloud Android Pin/passcode protection via a thirdparty app. This allows to see meta information like sharer, sharees and activity of files. It is recommended that the Nextcloud Android app is upgraded to 3.24.1. There are no known workarounds for this vulnerability.

References (2)

[Vendor Advisory] https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3rf-94h6-vj8v

[Issue Tracking, Patch] https://github.com/nextcloud/android/pull/11242

Scores

CVSS v3 4.4

EPSS 0.0006

EPSS Percentile 17.6%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-287 CWE-281

Status published

Products (1)

nextcloud/nextcloud 3.7.0 - 3.24.1

Published Mar 30, 2023

Tracked Since Feb 18, 2026