What is the severity of CVE-2023-49791?

CVE-2023-49791 has a medium severity rating due to potential unauthorized access to sensitive data.

How do I fix CVE-2023-49791?

To fix CVE-2023-49791, upgrade your Nextcloud Server to version 26.0.9, 27.1.4, or applicable enterprise versions.

Which versions are affected by CVE-2023-49791?

CVE-2023-49791 affects Nextcloud Server versions prior to 26.0.9 and 27.1.4, as well as specific enterprise versions.

Is CVE-2023-49791 a remote code execution vulnerability?

No, CVE-2023-49791 is not classified as a remote code execution vulnerability, but it can lead to unauthorized access.

Are there any known exploits for CVE-2023-49791?

There have been reports indicating that CVE-2023-49791 has been exploited in the wild.

Vulnerability/
CVE-2023-49791

medium

5.4

CWE

284 287

22/12/2023

12/9/2024

CVE-2023-49791: Workflows do not require password confirmation on API level

First published: Fri Dec 22 2023(Updated: )

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when an attacker manages to get access to an active session of another user via another way, they could delete and modify workflows by sending calls directly to the API bypassing the password confirmation shown in the UI. Nextcloud Server versions 26.0.9 and 27.1.4 and Nextcloud Enterprise Server versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 contain a patch for this issue. No known workarounds are available.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Nextcloud Server	>=23.0.0<23.0.12.13
Nextcloud Server	>=24.0.0<24.0.12.9
Nextcloud Server	>=25.0.0<25.0.13.4
Nextcloud Server	>=26.0.0<26.0.9
Nextcloud Server	>=26.0.0<26.0.9
Nextcloud Server	>=27.0.0<27.1.4
Nextcloud Server	>=27.0.0<27.1.4

Remedy

https://github.com/nextcloud/server/pull/41520

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2023-49791?
CVE-2023-49791 has a medium severity rating due to potential unauthorized access to sensitive data.
How do I fix CVE-2023-49791?
To fix CVE-2023-49791, upgrade your Nextcloud Server to version 26.0.9, 27.1.4, or applicable enterprise versions.
Which versions are affected by CVE-2023-49791?
CVE-2023-49791 affects Nextcloud Server versions prior to 26.0.9 and 27.1.4, as well as specific enterprise versions.
Is CVE-2023-49791 a remote code execution vulnerability?
No, CVE-2023-49791 is not classified as a remote code execution vulnerability, but it can lead to unauthorized access.
Are there any known exploits for CVE-2023-49791?
There have been reports indicating that CVE-2023-49791 has been exploited in the wild.

agent/weakness
agent/type
agent/event
agent/softwarecombine
agent/first-publish-date
agent/remedy
agent/severity
agent/author
agent/title
agent/references
agent/description
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/source
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/software-canonical-lookup-request
vendor/nextcloud
canonical/nextcloud server
version/nextcloud server/23.0.0
version/nextcloud server/24.0.0
version/nextcloud server/25.0.0
version/nextcloud server/26.0.0
version/nextcloud server/27.0.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.