Nextcloud Server and Enterprise Server Bulk Tagging Vulnerability Allows Unauthorized Tag Modifications

A vulnerability exists in Nextcloud Server and Nextcloud Enterprise Server in versions prior to 31.0.1, where non-privileged users can improperly modify tags on files they do not own. This is achieved through a bulk tagging feature, which, when unrestricted, can lead to unauthorized tag changes. The issue arises from the frontend not properly honoring tag creation restrictions that are meant to be enforced for regular users.

Impact

Exploitation of this vulnerability allows non-privileged users to alter tags on files they do not have rights to, potentially leading to mismanagement of file organization and access.

Reproduction

To reproduce this vulnerability, first ensure that the Nextcloud Server or Enterprise Server is running a version prior to 31.0.1. Then, log in as a non-privileged user and navigate to the files app. Select multiple files and use the bulk tagging feature to add or modify tags. Despite the restriction on tag creation for regular users, the bulk tagging option will still allow unauthorized tag changes on files that do not belong to the user.

Remediation

Users are advised to update Nextcloud Server or Nextcloud Enterprise Server to version 31.0.1, where this vulnerability has been fixed.