CVE-2023-25817: Delete permissions are not saved when creating public share in Nextcloud server
First published: Mon Mar 27 2023(Updated: )
Nextcloud server is an open source, personal cloud implementation. In versions from 24.0.0 and before 24.0.9 a user could escalate their permissions to delete files they were not supposed to deletable but only viewed or downloaded. This issue has been addressed andit is recommended that the Nextcloud Server is upgraded to 24.0.9. There are no known workarounds for this vulnerability.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nextcloud Server | >=24.0.0<24.0.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is Nextcloud server?
Nextcloud server is an open source personal cloud implementation.
What is the severity of CVE-2023-25817?
The severity of CVE-2023-25817 is high.
What is the impact of CVE-2023-25817?
The impact of CVE-2023-25817 is an escalation of user permissions, allowing the deletion of files that should only be viewed or downloaded.
How can I fix CVE-2023-25817?
To fix CVE-2023-25817, update Nextcloud server to version 24.0.9 or later.
Is there any additional information available about CVE-2023-25817?
Yes, you can find more information about CVE-2023-25817 in the Nextcloud security advisories and the corresponding GitHub pull request.
- agent/references
- agent/weakness
- agent/type
- agent/remedy
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/title
- agent/author
- agent/first-publish-date
- agent/event
- agent/description
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/nextcloud
- canonical/nextcloud server
- version/nextcloud server/24.0.0