Unrestricted filenames for logo or favicon as admin in the theming settings in nextcloud server

Nextcloud server is an open source home cloud implementation. In affected versions admins of a server were able to upload a logo or a favicon and to provided a file name which was not restricted and could overwrite files in the appdata directory. Administrators may have access to overwrite these files by other means but this method could be exploited by tricking an admin into uploading a maliciously named file. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. Users unable to upgrade should avoid ingesting logo files from untrusted sources.

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L

对路径名的限制不恰当(路径遍历)

Nextcloud 代码问题漏洞

Nextcloud是德国Nextcloud公司的一套开源的自托管文件同步和共享的通信应用平台。 Nextcloud server存在代码问题漏洞，该漏洞源于在主题设置中以管理员身份上传网站图标时能够控制文件名。受影响的产品和版本：Nextcloud server 24.0.10之前的24.0.x版本，25.0.4之前的25.0.x版本。

N/A

N/A