Nextcloud Tagging Workflow Access Bypass <24.0.11/25.0.5
CVE-2023-30539 Published on April 17, 2023

Users can set up workflows using restricted and invisible system tags in Nextcloud
Nextcloud is a personal home server system. Depending on the set up tags and other workflows this issue can be used to limit access of others or being able to grant them access when there are system tag based files access control or files retention rules. It is recommended that the Nextcloud Server is upgraded to 24.0.11 or 25.0.5, the Nextcloud Enterprise Server to 21.0.9.11, 22.2.10.11, 23.0.12.6, 24.0.11 or 25.0.5, and the Nextcloud Files automated tagging app to 1.11.1, 1.12.1, 1.13.1, 1.14.2, 1.15.3 or 1.16.1. Users unable to upgrade should disable all workflow related apps. Users are advised to upgrade.

NVD

Vulnerability Analysis

CVE-2023-30539 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

LOW

User Interaction:

REQUIRED

Scope:

CHANGED

Confidentiality Impact:

LOW

Integrity Impact:

LOW

Availability Impact:

LOW

Weakness Type

What is an Authorization Vulnerability?

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVE-2023-30539 has been classified to as an Authorization vulnerability or weakness.

Products Associated with CVE-2023-30539

Want to know whenever a new CVE is published for Nextcloud products? stack.watch will email you.

Nextcloud Files Automated Tagging

Nextcloud Server

Nextcloud

Affected Versions

nextcloud security-advisories:

Version Nextcloud Server: < 24.0.11 is affected.
Version Nextcloud Server: >= 25.0.0, < 25.0.5 is affected.
Version Nextcloud Files automated tagging: >= 1.11.0, < 1.11.1 is affected.
Version Nextcloud Files automated tagging: >= 1.12.0, < 1.12.1 is affected.
Version Nextcloud Files automated tagging: >= 1.13.0, < 1.13.1 is affected.
Version Nextcloud Files automated tagging: >= 1.14.0, < 1.14.2 is affected.
Version Nextcloud Files automated tagging: >= 1.15.0, < 1.15.3 is affected.
Version Nextcloud Files automated tagging: >= 1.16.0, < 1.16.1 is affected.

Exploit Probability

EPSS

0.38%

Percentile

58.67%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.