CVE-2023-28646 MEDIUM

CVE-2023-28646: App lockout in nextcloud Android app can be bypassed via thirdparty apps

Vendor Nextcloud
Product security-advisories
Weakness CWE-287 · Improper authentication
Published March 30, 2023
Last update February 11, 2025

CVSS base score

4.4/10
Attack vector Physical
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Nextcloud android is an android app for interfacing with the nextcloud home server ecosystem. In versions from 3.7.0 and before 3.24.1 an attacker that has access to the unlocked physical device can bypass the Nextcloud Android Pin/passcode protection via a thirdparty app. This allows to see meta information like sharer, sharees and activity of files. It is recommended that the Nextcloud Android app is upgraded to 3.24.1. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

March 30, 2023 CVE published
February 11, 2025 Record updated