Description
Nextcloud files Zip app is a tool to create zip archives from one or multiple files from within Nextcloud. In affected versions users can download "view-only" files by zipping the complete folder. It is recommended that the Files ZIP app is upgraded to 1.2.1, 1.4.1, or 1.5.0. Users unable to upgrade should disable the file zip app.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vhj3-mch4-67fq
Patch x_refsource_misc
https://github.com/nextcloud/files_zip/commit/43204539d517a13e945b90652718e2a213f46820
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/2247457
Scores
CVSS v3
4.1
EPSS
0.0052
EPSS Percentile
39.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-281
Status
published
Products (2)
nextcloud/zipper
1.4.0
nextcloud/zipper
< 1.2.1
Published
Jan 18, 2024
Tracked Since
Feb 18, 2026