How severe is CVE-2023-28645?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.5 out of 10.

What type of vulnerability is CVE-2023-28645?

This is classified as CWE-284, which is a common weakness in software security.

CVE-2023-28645

MEDIUM Year: 2023

CVSS v3 Score

6.5

Medium

Weakness Type

CWE-284

View all →

Vulnerability Description

Nextcloud richdocuments is a Nextcloud app integrating the office suit Collabora Online. In affected versions the secure view feature of the rich documents app can be bypassed by using unprotected internal API endpoint of the rich documents app. It is recommended that the Nextcloud Office app (richdocuments) is upgraded to 8.0.0-beta.1, 7.0.2 or 6.3.2. Users unable to upgrade may mitigate the issue by taking steps to restrict the ability to download documents. This includes ensuring that the `WOPI configuration` is configured to only serve documents between Nextcloud and Collabora. It is highly recommended to define the list of Collabora server IPs as the allow list within the Office admin settings of Nextcloud.

CVE-2011-1762

MEDIUM

CVSS:6.5(Medium)

A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts. This may allow a user with 'Contributor-level' privileges to post...

CWE-2842011

CVE-2012-4379

MEDIUM

CVSS:6.5(Medium)

MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not send a restrictive X-Frame-Options HTTP header, which allows remote attackers to conduct clickjacking attacks via an embedded API response in...

CWE-2842012

CVE-2014-1398

MEDIUM

CVSS:6.5(Medium)

The entity wrapper access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions on comment, user and node statist...

CWE-2842014

CVE-2014-1399

MEDIUM

CVSS:6.5(Medium)

The entity wrapper access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions on referenced entities via unspec...

CWE-2842014

CVE-2014-1400

MEDIUM

CVSS:6.5(Medium)

The entity_access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions and read unpublished comments via unspeci...

CWE-2842014

CVE-2014-3519

MEDIUM

CVSS:6.5(Medium)

The open_by_handle_at function in vzkernel before 042stab090.5 in the OpenVZ modification for the Linux kernel 2.6.32, when using simfs, might allow local container users with CAP_DAC_READ_SEARCH capa...

CWE-2842014

CVE-2023-28645

Vulnerability Description

Related Vulnerabilities

CVE-2011-1762

CVE-2012-4379

CVE-2014-1398

CVE-2014-1399

CVE-2014-1400

CVE-2014-3519