Home > Vulnerability Database > CVE-2022-24888

Mend.io Vulnerability Database

CVE-2022-24888

Date: April 27, 2022

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 20.0.14.4, 21.0.8, 22.2.4, and 23.0.1, it is possible to create files and folders that have leading and trailing \n, \r, \t, and \v characters. The server rejects files and folders that have these characters in the middle of their names, so this might be an opportunity for injection. This issue is fixed in versions 20.0.14.4, 21.0.8, 22.2.4, and 23.0.1. There are currently no known workarounds.

Language: PHP

Severity Score

4.3

Related Resources (6)

Url: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-w3h6-p64h-q9jp

Url: https://security.gentoo.org/glsa/202208-17

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-24888

Url: https://github.com/nextcloud/server/pull/29895

Url: https://hackerone.com/reports/1402249

Url: https://www.mend.io/vulnerability-database/CVE-2022-24888

Severity Score

4.3

Weakness Type (CWE)

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

CVSS v3.1

Base Score:	4.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2022-24888

Date: April 27, 2022

Language: PHP

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?