CVE-2023-22471 — Authorization Bypass Through User-Controlled Key in Deck

CWE-639 — Authorization Bypass Through User-Controlled Key2 documents2 sources

Severity

4.3MEDIUMNVD

CNA3.5

EPSS

0.1%

top 71.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Deck Nextcloud Security-advisories

Timeline

PublishedJan 14

Description

Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Broken access control allows a user to delete attachments of other users. There are currently no known workarounds. It is recommended that the Nextcloud Deck app is upgraded to 1.6.5 or 1.7.3 or 1.8.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDnextcloud/deck1.7.0 — 1.7.3+2

▶CVEListV5nextcloud/security-advisories>= 1.60, < 1.6.5, >= 1.7.0, < 1.7.3, >= 1.8.0, < 1.8.2+2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Nextcloud Deck vulnerable to authorization bypass↗2023-01-14

▶