Nextcloud Groupfolders Permission Bypass Vulnerability Allowing Unauthorized File Restoration from Trash

A vulnerability exists in Nextcloud Groupfolders versions prior to 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2. It allows users with read-only permissions to restore deleted files from the trash bin, bypassing intended access restrictions. This issue has been addressed in the mentioned updated versions.

Impact

Exploitation of this vulnerability allows users with read-only permissions in a team folder to restore deleted files from the trash bin, contrary to the expected behavior that such permissions would prevent file restoration.

Reproduction

To reproduce this vulnerability, add a user to a group and create a team folder assigned to that group. Set the group's permissions to read-only and upload a file, then delete it. The user can then restore the deleted file from the trash, despite the read-only restriction.

Remediation

Users are advised to update the Groupfolders app to version 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8 or 20.1.2. Alternatively, the Groupfolders app can be disabled, or the Files_trashbin app can be turned off.