← back
CVE-2022-41970

Nextcloud Server's disabled download shares still allow download through preview images

CVSS 2.6 LOWEPSS 0.6%CWE-284CWE-863
Vexday Risk Score
8Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 2.6EPSS 0.6%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
01 Dec 2022Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Nextcloud Server is an open source personal cloud server. Prior to versions 24.0.7 and 25.0.1, disabled download shares still allow download through preview images. Images could be downloaded and previews of documents (first page) can be downloaded without being watermarked. Versions 24.0.7 and 25.0.1 contain a fix for this issue. No known workarounds are available.
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Affected products
nextcloud · security-advisories

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9mh6-cph8-772chttps://github.com/nextcloud/server/pull/34788https://hackerone.com/reports/1745766