The developers of the Nextcloud collaboration software warn of a security gap that they classify as critical. Attackers from the network could use them to inject and execute malicious code. Updated software to fix the vulnerability is available for download and installation.
The error description does not go into great detail. “A lack of scope validation allows users to create workflows that are by design reserved for admins. Some workflows are built to run code remotely – by including specific scripts. These workflows are used to create PDFs, involve webhooks or run scripts on the server”. This combination could lead to the execution of malicious code injected from the web, depending on the available apps, they explain Developers further in their security advisory (CVE-2023-26482, CVSS 9.0Risk “critical“).
Nextcloud Vulnerability: Affected Versions
For the Nextcloud Server the updates are on version 24.0.10 or 25.0.4 available. You have already been Released at the end of Februarybut since there is no changelog.
Also for Nextcloud Enterprise Server there are updates. Fix versions here 20.0.14.12, 21.0.9.10, 22.2.10.10, 23.0.12.5, 24.0.10 respective 25.0.4 the safety-critical errors. The Nextcloud developers write that anyone who is still using Nextcloud Enterprise Server 18 or 19 should patch them manually.
As a temporary countermeasure, workflow_scripts– and workflow_pdf_converter– Disable apps. IT managers should implement either the available updates or the temporary countermeasures quickly to give attackers no chance of abusing the critical vulnerability.
(dmk)
