CVE-2024-37314

Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2.

CVSS v3 3.5 LOW

3.5^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/photos/pull/1749	Patch
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9chh-5prm-wp43	Vendor Advisory
https://hackerone.com/reports/1946298	Issue Tracking

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nextcloud:nextcloud_server::::::::
	cpe:2.3:a:nextcloud:nextcloud_server::::::::

History

16 Aug 2024, 19:43

Type	Values Removed	Values Added
References	~~() https://github.com/nextcloud/photos/pull/1749 -~~	() https://github.com/nextcloud/photos/pull/1749 - Patch
References	~~() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9chh-5prm-wp43 -~~	() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9chh-5prm-wp43 - Vendor Advisory
References	~~() https://hackerone.com/reports/1946298 -~~	() https://hackerone.com/reports/1946298 - Issue Tracking
CPE		cpe:2.3:a:nextcloud:nextcloud_server::::::::
CWE		CWE-862
First Time		Nextcloud nextcloud Server Nextcloud

17 Jun 2024, 12:42

Type	Values Removed	Values Added
Summary		(es) Nextcloud Photos es una aplicación de gestión de fotografías. Los usuarios pueden eliminar fotos del álbum de usuarios registrados. Se recomienda actualizar Nextcloud Server a 25.0.7 o 26.0.2 y Nextcloud Enterprise Server a 25.0.7 o 26.0.2.

14 Jun 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-14 15:15

Updated : 2024-08-16 19:43

NVD link : CVE-2024-37314

Mitre link : CVE-2024-37314

CVE.ORG link : CVE-2024-37314

JSON object : View

Products Affected

nextcloud

nextcloud_server

CWE

CWE-862

Missing Authorization

CWE-284

Improper Access Control

{"id": "CVE-2024-37314", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.1}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.1}]}, "published": "2024-06-14T15:15:51.697", "references": [{"url": "https://github.com/nextcloud/photos/pull/1749", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9chh-5prm-wp43", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://hackerone.com/reports/1946298", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2."}, {"lang": "es", "value": "Nextcloud Photos es una aplicaci\u00f3n de gesti\u00f3n de fotograf\u00edas. Los usuarios pueden eliminar fotos del \u00e1lbum de usuarios registrados. Se recomienda actualizar Nextcloud Server a 25.0.7 o 26.0.2 y Nextcloud Enterprise Server a 25.0.7 o 26.0.2."}], "lastModified": "2024-08-16T19:43:13.153", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "080E81EB-85E3-41B1-A26F-38875D8F7B13", "versionEndExcluding": "25.0.7", "versionStartIncluding": "25.0.0"}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A77EE9B-2C50-4342-8E7A-4DA522FED92D", "versionEndExcluding": "26.0.2", "versionStartIncluding": "26.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}