CVE-2023-28646
low-risk
Published 2023-03-30
Nextcloud android is an android app for interfacing with the nextcloud home server ecosystem. In versions from 3.7.0 and before 3.24.1 an attacker that has access to the unlocked physical device can bypass the Nextcloud Android Pin/passcode protection via a thirdparty app. This allows to see meta information like sharer, sharees and activity of files. It is recommended that the Nextcloud Android app is upgraded to 3.24.1. There are no known workarounds for this vulnerability.
Do I need to act?
-
0.06% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.4/10
Medium
PHYSICAL
/ HIGH complexity
Affected Products (1)
Affected Vendors
References (4)
Issue Tracking
https://github.com/nextcloud/android/pull/11242
Issue Tracking
https://github.com/nextcloud/android/pull/11242
16
/ 100
low-risk
Severity
11/34 · Low
Exploitability
0/34 · Minimal
Exposure
5/34 · Minimal