CVE-2024-37883

Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. A user with access to a deck board was able to access comments and attachments of already deleted cards. It is recommended that the Nextcloud Deck app is upgraded to 1.6.6 or 1.7.5 or 1.8.7 or 1.9.6 or 1.11.3 or 1.12.1.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/deck/pull/5423	Patch
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x45g-vx69-r9m8	Patch Third Party Advisory
https://hackerone.com/reports/2289333	Issue Tracking
https://github.com/nextcloud/deck/pull/5423	Patch
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x45g-vx69-r9m8	Patch Third Party Advisory
https://hackerone.com/reports/2289333	Issue Tracking

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nextcloud:deck::::::::
	cpe:2.3:a:nextcloud:deck::::::::
	cpe:2.3:a:nextcloud:deck::::::::
	cpe:2.3:a:nextcloud:deck::::::::
	cpe:2.3:a:nextcloud:deck::::::::
	cpe:2.3:a:nextcloud:deck:1.12.0:-::::::
	cpe:2.3:a:nextcloud:deck:1.12.0:beta1::::::
	cpe:2.3:a:nextcloud:deck:1.12.0:beta2::::::
	cpe:2.3:a:nextcloud:deck:1.12.0:beta3::::::
	cpe:2.3:a:nextcloud:deck:1.12.0:beta4::::::
	cpe:2.3:a:nextcloud:deck:1.12.0:beta5::::::

History

21 Nov 2024, 09:24

Type	Values Removed	Values Added
References	~~() https://github.com/nextcloud/deck/pull/5423 - Patch~~	() https://github.com/nextcloud/deck/pull/5423 - Patch
References	~~() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x45g-vx69-r9m8 - Patch, Third Party Advisory~~	() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x45g-vx69-r9m8 - Patch, Third Party Advisory
References	~~() https://hackerone.com/reports/2289333 - Issue Tracking~~	() https://hackerone.com/reports/2289333 - Issue Tracking

19 Aug 2024, 16:00

Type	Values Removed	Values Added
CWE		NVD-CWE-noinfo
First Time		Nextcloud Nextcloud deck
CPE		cpe:2.3:a:nextcloud:deck:1.12.0:beta3:::::: cpe:2.3:a:nextcloud:deck:1.12.0:-:::::: cpe:2.3:a:nextcloud:deck:::::::: cpe:2.3:a:nextcloud:deck:1.12.0:beta2:::::: cpe:2.3:a:nextcloud:deck:1.12.0:beta4:::::: cpe:2.3:a:nextcloud:deck:1.12.0:beta1:::::: cpe:2.3:a:nextcloud:deck:1.12.0:beta5::::::
References	~~() https://github.com/nextcloud/deck/pull/5423 -~~	() https://github.com/nextcloud/deck/pull/5423 - Patch
References	~~() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x45g-vx69-r9m8 -~~	() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x45g-vx69-r9m8 - Patch, Third Party Advisory
References	~~() https://hackerone.com/reports/2289333 -~~	() https://hackerone.com/reports/2289333 - Issue Tracking

17 Jun 2024, 12:42

Type	Values Removed	Values Added
Summary		(es) Nextcloud Deck es una herramienta de organización estilo kanban destinada a la planificación personal y organización de proyectos para equipos integrada con Nextcloud. Un usuario con acceso a un tablero pudo acceder a comentarios y archivos adjuntos de tarjetas ya eliminadas. Se recomienda actualizar la aplicación Nextcloud Deck a 1.6.6 o 1.7.5 o 1.8.7 o 1.9.6 o 1.11.3 o 1.12.1.

14 Jun 2024, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-14 16:15

Updated : 2024-11-21 09:24

NVD link : CVE-2024-37883

Mitre link : CVE-2024-37883

CVE.ORG link : CVE-2024-37883

JSON object : View

Products Affected

nextcloud

deck

CWE

CWE-284

Improper Access Control

NVD-CWE-noinfo

4.3 /10