CVE-2021-37631Authorization Bypass Through User-Controlled Key in Security-advisories

CWE-639Authorization Bypass Through User-Controlled Key2 documents2 sources
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 47.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Deck
Timeline
PublishedSep 7

Description

Deck is an open source kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. In affected versions the Deck application didn't properly check membership of users in a Circle. This allowed other users in the instance to gain access to boards that have been shared with a Circle, even if the user was not a member of the circle. It is recommended that Nextcloud Deck is upgraded to 1.5.1, 1.4.4 or 1.2.9. If you are unable to update it i

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDnextcloud/deck1.3.01.4.4+2
CVEListV5nextcloud/security-advisories< 1.2.9+2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Circle can be accessed by non-Circle members in Nextcloud Deck2021-09-07
CVE-2021-37631 — Security-advisories vulnerability | cvebase