CVE-2024-37317Improper Access Control in Notes

CWE-284Improper Access ControlCWE-862Missing Authorization3 documents3 sources
Severity
4.6MEDIUMNVD
EPSS
0.1%
top 66.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud NotesNextcloud Security-advisories
Timeline
PublishedJun 14
Latest updateJun 19

Description

The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed to share a folder called `Notes/` with a newly created user before they logged in, the Notes app would use that folder store the personal notes. It is recommended that the Nextcloud Notes app is upgraded to 4.9.3.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:NExploitability: 2.1 | Impact: 2.5

Affected Packages2 packages

NVDnextcloud/notes4.6.04.9.3
CVEListV5nextcloud/security-advisories>= 4.6.0, < 4.9.3

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Nextcloud Notes app can be tricked into using a received share created before the user logged in2024-06-14

💬Community

1
HackerOne
Notes app can be tricked into using a received share created before the user logged in2024-06-19
CVE-2024-37317 — Improper Access Control in Notes | cvebase