Nextcloud Tables Path Traversal Vulnerability Leading to Arbitrary File Exfiltration

A path traversal vulnerability has been identified in the Nextcloud Tables app, specifically in versions 0.7.0 through 0.7.5, 0.8.0 through 0.8.7, and 0.9.0 through 0.9.4. This vulnerability allows users to specify files on the server during the table import process. If the file format is supported by the PhpSpreadsheet library, the file's content would be included in the import, leading to unauthorized data exposure.

Impact

Exploitation of this vulnerability allows for arbitrary file exfiltration of any files supported by the PhpSpreadsheet library, with a high impact on confidentiality.

Reproduction

To reproduce this vulnerability, import a table using a version of the Nextcloud Tables app that is prior to the patched versions. During the import process, specify a file on the server that is in a format supported by the PhpSpreadsheet library. The content of the file will be imported into the table, effectively leaking the file's data to the user.

Remediation

Users are advised to upgrade the Nextcloud Tables app to version 0.7.6, 0.8.8, or 0.9.5. Instructions for updating the app can be found in the Nextcloud app store or through the Nextcloud update mechanism.