CVE-2021-37630Authorization Bypass Through User-Controlled Key in Security-advisories

CWE-639Authorization Bypass Through User-Controlled Key2 documents2 sources
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 44.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Circles
Timeline
PublishedSep 7

Description

Nextcloud Circles is an open source social network built for the nextcloud ecosystem. In affected versions the Nextcloud Circles application allowed any user to join any "Secret Circle" without approval by the Circle owner leaking private information. It is recommended that Nextcloud Circles is upgraded to 0.19.15, 0.20.11 or 0.21.4. There are no workarounds for this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDnextcloud/circles0.20.00.20.11+2
CVEListV5nextcloud/security-advisories< 0.19.15+2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Secret Circle can be joined without approval in Nextcloud Circles2021-09-07
CVE-2021-37630 — Security-advisories vulnerability | cvebase