Nextcloud Server and Enterprise Comment Access Vulnerability

A vulnerability in Nextcloud Server versions 31.0.0 prior to 31.0.12 and 32.0.0 prior to 32.0.3, as well as in Nextcloud Enterprise Server versions 21.0.0 prior to 21.0.9.20, 22.0.0, 23.0.0, 24.0.0, 25.0.0, 26.0.0, 27.0.0, 28.0.0, 29.0.0, 30.0.0, 31.0.0, and 32.0.0, allows authenticated users with access to any file comment to read the content of all comments. This issue arises from a missing check of a relation, which could be exploited by users to access comments they should not be able to.

Impact

Exploitation of this vulnerability allows for unauthorized access to file comment content, potentially leading to privacy violations or information leaks.

Remediation

Users are advised to upgrade Nextcloud Server to version 31.0.12 or 32.0.3. Nextcloud Enterprise Server users should upgrade to version 21.0.9.20, 22.2.10.35, 23.0.12.31, 24.0.12.30, 25.0.13.25, 26.0.13.22, 27.1.11.22, 28.0.14.13, 29.0.16.10, 30.0.17.5, 31.0.12 or 32.0.3.