Nextcloud Tables App SQL Injection Vulnerability in ORDER BY Clause

A SQL injection vulnerability has been identified in the Nextcloud Tables app, affecting versions 0.9.0 prior to 0.9.7 and 1.0.0 prior to 1.0.2. The issue arises from a lack of proper input sanitization, which allows users with access to the Tables app to manipulate the ORDER BY statement of a query. This exploitation is limited to extracting a small amount of information per request or causing a delay in database response. The vulnerability has been patched in versions 0.9.7 and 1.0.2.

Impact

Exploitation of this vulnerability allows for a limited SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access or manipulation, although the impact is constrained compared to typical SQL injection vulnerabilities.

Remediation

Users are advised to update the Nextcloud Tables app to version 0.9.7 or 1.0.2. If an immediate update is not possible, the Tables app can be disabled as a temporary workaround.