CVE-2023-22472 MEDIUM

CVE-2023-22472: Nextcloud Deck Desktop Client is vulnerable to Cross-Site Request Forgery (CSRF) via malicious link

Vendor Nextcloud
Product security-advisories
Weakness CWE-352 · CSRF
Published January 9, 2023
Last update March 10, 2025

CVSS base score

5.3/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link on a Windows computer. (e.g. in an email, chat link, etc). There are currently no known workarounds. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.2.

Key dates

02Disclosure timeline

January 9, 2023 CVE published
March 10, 2025 Record updated