CVE-2023-48308

Calendar app returns full stacktrace when an error happens while editing appointment

CVSS 3.5 LOWEPSS 0.5%CWE-1258

In short

When editing a calendar appointment in Nextcloud Calendar, an error can expose the application's internal error details and server paths to attackers. This information leak can help attackers understand the system's structure and find other vulnerabilities.

Technical detail

The Nextcloud Calendar app fails to properly sanitize error messages during appointment editing, returning full stack traces that disclose internal file paths and system information. An attacker can trigger this information disclosure by manipulating appointment data, requiring only basic user interaction with the calendar feature.

Summary generated and translated by AI from the official description.

Nextcloud/Cloud is a calendar app for Nextcloud. An attacker can gain access to stacktrace and internal paths of the server when generating an exception while editing a calendar appointment. It is recommended that the Nextcloud Calendar app is upgraded to 4.5.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

Affected products

nextcloud · security-advisories

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/nextcloud/calendar/pull/5553 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fv3c-qvjr-5rv8