CVE-2021-37628Authorization Bypass Through User-Controlled Key in Security-advisories

CWE-639Authorization Bypass Through User-Controlled Key2 documents2 sources
Severity
7.5HIGHNVD
EPSS
0.4%
top 41.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Richdocuments
Timeline
PublishedSep 7

Description

Nextcloud Richdocuments is an open source collaborative office suite. In affected versions the File Drop features ("Upload Only" public link shares in Nextcloud) can be bypassed using the Nextcloud Richdocuments app. An attacker was able to read arbitrary files in such a share. It is recommended that the Nextcloud Richdocuments is upgraded to 3.8.4 or 4.2.1. If upgrading is not possible then it is recommended to disable the Richdocuments application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDnextcloud/richdocuments4.0.04.2.1+1
CVEListV5nextcloud/security-advisories< 3.8.4+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
File Drop can be bypassed using Richdocuments app in nextcloud2021-09-07
CVE-2021-37628 — Security-advisories vulnerability | cvebase