CVE-2024-37315

CWE-284Improper Access Control2 documents2 sources
Severity
4.3MEDIUM
EPSS
0.3%
top 46.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Nextcloud ServerNextcloud Security-advisories
Timeline
PublishedJun 14

Description

Nextcloud Server is a self hosted personal cloud system. An attacker with read-only access to a file is able to restore older versions of a document when the files_versions app is enabled. It is recommended that the Nextcloud Server is upgraded to 26.0.12, 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 23.0.12.16, 24.0.12.12, 25.0.13.6, 26.0.12, 27.1.7 or 28.0.3.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:NExploitability: 2.1 | Impact: 1.4

Affected Packages2 packages

NVDnextcloud/nextcloud_server25.0.025.0.13+5
CVEListV5nextcloud/security-advisories>= 26.0.0, < 26.0.12, >= 27.0.0, < 27.1.7, >= 28.0.0, < 28.0.3+2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Nextcloud Server's read-only users can restore old versions2024-06-14
CVE-2024-37315 (MEDIUM CVSS 4.3) | Nextcloud Server is a self hosted p | cvebase.io