The developers of Nextcloud collaboration software have warned of a critical security gap that attackers from the network could exploit and inject malicious code. This is because some workflows are built to run code remotely, allowing users to create workflows that are designed for admins. The problem could lead to the execution of injected malicious code from the network, depending on the available apps.
The developers have already released updated software to fix the vulnerability, and the updates to version 24.0.10 or 25.0.4 are available for Nextcloud servers. The Nextcloud Enterprise Server also has updates available with versions 20.0.14.12, 21.0.9.10, 22.2.10.10, 23.0.12.5, 24.0.10, and 25.0.4 that fix the security-critical errors. For those still using Nextcloud Enterprise Server 18 or 19, the Nextcloud developers advise that patches should be done manually.
To temporarily countermeasure the vulnerability, disabling workflow_scripts and workflow_pdf_converter apps should help. IT managers should implement either the available updates or the temporary countermeasures quickly to prevent attackers from abusing this critical vulnerability.
The error description does not provide much detail about the issue, but the developers describe the vulnerability as a “lack of scope validation.” This allows users to create workflows that only admins are supposed to use. However, some workflows run code remotely by including specific scripts. These workflows create PDFs, involve webhooks, or run scripts on the server. The combination of these issues could lead to a severe vulnerability where attackers could inject and execute malicious code from the network.
This critical vulnerability has been tagged with CVE-2023-26482 and a CVSS score of 9.0. The risk level is significant, which is why it is essential to update the software and apply patches manually wherever necessary. The IT department should take this warning seriously and prioritize upgrading the software to avoid any unexpected attacks. The consequences of a successful attack could be catastrophic for any organization.
