CVE-2023-25150 MEDIUM

CVE-2023-25150: Document content of files can be obtained through Collabora for files of other users

Vendor Nextcloud
Product security-advisories
Weakness CWE-284
Published February 8, 2023
Last update March 10, 2025
View on NVD All CVEs

CVSS base score

5.8/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

Nextcloud office/richdocuments is an office suit for the nextcloud server platform. In affected versions the Collabora integration can be tricked to provide access to any file without proper permission validation. As a result any user with access to Collabora can obtain the content of other users files. It is recommended that the Nextcloud Office App (Collabora Integration) is updated to 7.0.2 (Nextcloud 25), 6.3.2 (Nextcloud 24), 5.0.10 (Nextcloud 23), 4.2.9 (Nextcloud 21-22), or 3.8.7 (Nextcloud 15-20). There are no known workarounds for this issue.

Key dates

02Disclosure timeline

February 8, 2023 CVE published
March 10, 2025 Record updated