Headline
CVE-2023-22472: CSRF vulnerability in Nextcloud Desktop Client on Windows when clicking malicious link
Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link on a Windows computer. (e.g. in an email, chat link, etc). There are currently no known workarounds. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.2.
Impact
It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link on a Windows computer. (e.g. in an email, chat link, etc)
Patches
It is recommended that the Nextcloud Desktop client is upgraded to 3.6.2
Workarounds
No workaround available
References
- HackerOne
- PullRequest
For more information
If you have any questions or comments about this advisory:
- Create a post in nextcloud/security-advisories
- Customers: Open a support ticket at support.nextcloud.com