- Description
- Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- calendar
CVSS 3.1
- Type
- Secondary
- Base score
- 5.7
- Impact score
- 3.6
- Exploitability score
- 2.1
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
- Severity
- MEDIUM
- security-advisories@github.com
- CWE-241
- Hype score
- Not currently trending
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nextcloud:calendar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1B86471C-96D9-4152-BD53-8AC98B0C428D",
"versionEndExcluding": "4.7.17",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nextcloud:calendar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "833B51DE-8445-40F4-A4D4-E7B88F3C2B0C",
"versionEndExcluding": "5.2.4",
"versionStartIncluding": "5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]