CVE-2024-37312
published 2024-06-14CVE-2024-37312: user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account…
PriorityP431medium6.3CVSS 3.1
AVAACLPRNUINSUCLILAL
EPSS
0.64%
46.0th percentile
user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to 3.0.0 (Nextcloud 20-23), 4.0.0 (Nexcloud 24) or 5.0.0 (Nextcloud 25-28).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nextcloud | security-advisories | <= 1.3.6 | — |
| nextcloud | user_oidc | < 5.0.0 | 5.0.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vw7g-959g-vj6qhttps://github.com/nextcloud/user_oidc/commit/9f68a716ecd264160a7c098b8840313f1ac855f2https://hackerone.com/reports/2376929https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vw7g-959g-vj6qhttps://github.com/nextcloud/user_oidc/commit/9f68a716ecd264160a7c098b8840313f1ac855f2https://hackerone.com/reports/2376929
2024-06-14
Published