Nextcloud Deck File Extension Spoofing Vulnerability via RTLO Characters

A vulnerability in Nextcloud Deck prior to versions 1.12.7, 1.14.4, and 1.15.1 allows for file extension spoofing. By using Right-to-Left Override (RTLO) characters, it is possible to trick users into downloading files with misleading extensions. This issue has been addressed in the mentioned versions.

Impact

Exploitation of this vulnerability can lead to file extension spoofing, causing users to download files with incorrect extensions, which could be misused to execute malicious files or scripts.

Reproduction

To reproduce this vulnerability, upload a file with a name that includes RTLO characters to Nextcloud Deck. The file will appear with a different extension than intended. After uploading, the file can be downloaded, and the spoofed extension will be reflected in the downloaded file.

Remediation

Users are advised to update Nextcloud Deck to version 1.12.7, 1.14.4, or 1.15.1. If an immediate update is not possible, the Deck app can be disabled as a temporary measure.