Nextcloud Tables App SQL Injection Vulnerability Allowing Arbitrary SQL Execution

A stored SQL injection vulnerability has been identified in the Nextcloud Tables app, affecting versions 0.7.0 prior to 0.7.7, 0.8.0 prior to 0.8.10, 0.9.0 prior to 0.9.8, and 1.0.0 prior to 1.0.4. This vulnerability allows authenticated attackers with access to the Tables app to execute arbitrary SQL queries, initially limited to 20 bytes. However, with carefully crafted input, it is possible to bypass this length restriction. Exploitation of this vulnerability could lead to unauthorized data extraction or modification within the database.

Impact

Exploitation of this vulnerability could result in unauthorized execution of SQL queries, allowing attackers to extract or modify database information.

Remediation

Users are advised to upgrade the Nextcloud Tables app to version 2.0.0, 1.0.4, 0.9.8, 0.8.10, or 0.7.7. Alternatively, the Tables app can be disabled.