Headline
CVE-2023-28647: App pin of the iOS app can be bypassed
Nextcloud iOS is an ios application used to interface with the nextcloud home cloud ecosystem. In versions prior to 4.7.0 when an attacker has physical access to an unlocked device, they may enable the integration into the iOS Files app and bypass the Nextcloud pin/password protection and gain access to a users files. It is recommended that the Nextcloud iOS app is upgraded to 4.7.0. There are no known workarounds for this vulnerability.
Affected versions
< 4.7.0
Description
Impact
When an attacker has physical access to an unlocked device, they could simply enable the integration into the iOS Files app and bypass the Nextcloud pin protection.
Patches
It is recommended that the Nextcloud iOS app is upgraded to 4.7.0
Workarounds
- No workaround available
References
- HackerOne
- PullRequest
For more information
If you have any questions or comments about this advisory:
- Create a post in nextcloud/security-advisories
- Customers: Open a support ticket at support.nextcloud.com