CVE-2023-48301 Information

Description

Nextcloud Server provides data storage for Nextcloud an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.13 26.0.8 and 27.1.3 of Nextcloud Server and Nextcloud Enterprise Server an attacker could insert links into circles name that would be opened when clicking the circle name in a search filter. Nextcloud Server and Nextcloud Enterprise Server versions 25.0.13 26.0.8 and 27.1.3 contain a fix for this issue. As a workaround disable app circles.

Reference

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wgpw-qqq2-gwv6 https://github.com/nextcloud/circles/pull/1415 https://hackerone.com/reports/2210038