CVE-2024-37314

CWE-284 — Improper Access Control CWE-862 — Missing Authorization2 documents2 sources

Severity

3.5LOW

EPSS

0.1%

top 65.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Nextcloud Server Nextcloud Security-advisories

Timeline

PublishedJun 14

Description

Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:LExploitability: 2.1 | Impact: 1.4

Affected Packages2 packages

▶NVDnextcloud/nextcloud_server25.0.0 — 25.0.7+1

▶CVEListV5nextcloud/security-advisories>= 25.0.1, < 25.0.7, >= 26.0.0, < 26.0.2+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Nextcloud Photos' shared albums have no restriction on photo removal↗2024-06-14

▶