When uploading a logo or favicon the filename can be controlled by attacker since the key can be modified which serves as the filename.
Proof of Concept: #
- go to http://localhost/settings/admin/theming
- upload a logo or favicon
- intercept the request using burp
- modify the key
References #
- https://hackerone.com/reports/1781751
- https://nvd.nist.gov/vuln/detail/CVE-2023-28833
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-ch7f-px7m-hg25