cbcvebase.
CVE-2021-41239
published 2022-03-08

CVE-2021-41239: Nextcloud server is a self hosted system designed to provide cloud style services. In affected versions the User Status API did not consider the user…

PriorityP426medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
1.09%
61.2th percentile
Nextcloud server is a self hosted system designed to provide cloud style services. In affected versions the User Status API did not consider the user enumeration settings by the administrator. This allowed a user to enumerate other users on the instance, even when user listings where disabled. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. There are no known workarounds.

Affected

6 ranges
VendorProductVersion rangeFixed in
nextcloudnextcloud_server< 20.0.1420.0.14
nextcloudnextcloud_server
nextcloudnextcloud_server>= 21.0.0 < 21.0.621.0.6
nextcloudsecurity-advisories< 20.0.1420.0.14
nextcloudsecurity-advisories
nextcloudsecurity-advisories

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.