Nextcloud iOS Files app: Unauth Access via Missing 4-digit PIN (before 4.9.2)
CVE-2023-49790 Published on December 22, 2023

App PIN code can be bypassed in Nextcloud Files iOS
The Nextcloud iOS Files app allows users of iOS to interact with Nextcloud, a self-hosted productivity platform. Prior to version 4.9.2, the application can be used without providing the 4 digit PIN code. Nextcloud iOS Files app should be upgraded to 4.9.2 to receive the patch. No known workarounds are available.

NVD

Vulnerability Analysis

CVE-2023-49790 is exploitable with physical access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.

Attack Vector:
PHYSICAL
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
LOW

Weakness Type

What is an authentification Vulnerability?

When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

CVE-2023-49790 has been classified to as an authentification vulnerability or weakness.


Products Associated with CVE-2023-49790

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-49790 are published in Nextcloud:

Nextcloud
 

Affected Versions

nextcloud security-advisories Version < 4.9.2 is affected by CVE-2023-49790

Exploit Probability

EPSS
0.25%
Percentile
48.12%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.