Headline
CVE-2023-35171: Open redirect on "Unsupported browser" warning
NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. Starting in version 26.0.0 and prior to version 26.0.2, an attacker could supply a URL that redirects an unsuspecting victim from a legitimate domain to an attacker’s site. Nextcloud Server and Nextcloud Enterprise Server 26.0.2 contain a patch for this issue. No known workarounds are available.
Package
Server (Nextcloud)
Affected versions
>= 26.0.0
Server (Nextcloud Enterprise)
Description
Impact
An attacker could supply a URL that redirects an unsuspecting victim from a legitimate domain to an attacker’s site.
Patches
It is recommended that the Nextcloud Server is upgraded to 26.0.2
It is recommended that the Nextcloud Enterprise Server is upgraded to 26.0.2
Workarounds
- No workaround available
References
- HackerOne
- PullRequest
For more information
If you have any questions or comments about this advisory:
- Create a post in nextcloud/security-advisories
- Customers: Open a support ticket at portal.nextcloud.com