CVE-2024-37317

The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed to share a folder called `Notes/` with a newly created user before they logged in, the Notes app would use that folder store the personal notes. It is recommended that the Nextcloud Notes app is upgraded to 4.9.3.
Configurations

Configuration 1 (hide)

cpe:2.3:a:nextcloud:notes:*:*:*:*:*:nextcloud:*:*

History

21 Nov 2024, 09:23

Type Values Removed Values Added
References () https://github.com/nextcloud/notes/pull/1260 - Patch () https://github.com/nextcloud/notes/pull/1260 - Patch
References () https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wfqv-cx85-7rjx - Third Party Advisory () https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wfqv-cx85-7rjx - Third Party Advisory
References () https://hackerone.com/reports/2254151 - Issue Tracking () https://hackerone.com/reports/2254151 - Issue Tracking

19 Aug 2024, 15:42

Type Values Removed Values Added
CPE cpe:2.3:a:nextcloud:notes:*:*:*:*:*:nextcloud:*:*
CWE CWE-862
First Time Nextcloud notes
Nextcloud
References () https://github.com/nextcloud/notes/pull/1260 - () https://github.com/nextcloud/notes/pull/1260 - Patch
References () https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wfqv-cx85-7rjx - () https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wfqv-cx85-7rjx - Third Party Advisory
References () https://hackerone.com/reports/2254151 - () https://hackerone.com/reports/2254151 - Issue Tracking

17 Jun 2024, 12:42

Type Values Removed Values Added
Summary
  • (es) La aplicación Nextcloud Notes es una aplicación para tomar notas sin distracciones para Nextcloud. Si un atacante lograba compartir una carpeta llamada `Notas/` con un usuario recién creado antes de iniciar sesión, la aplicación Notas usaría esa carpeta para almacenar las notas personales. Se recomienda actualizar la aplicación Nextcloud Notes a 4.9.3.

14 Jun 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-14 16:15

Updated : 2024-11-21 09:23


NVD link : CVE-2024-37317

Mitre link : CVE-2024-37317

CVE.ORG link : CVE-2024-37317


JSON object : View

Products Affected

nextcloud

  • notes
CWE
CWE-284

Improper Access Control

CWE-862

Missing Authorization