CVE-2024-37884

CWE-284Improper Access Control2 documents2 sources
Severity
5.4MEDIUM
EPSS
0.2%
top 63.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Nextcloud ServerNextcloud Security-advisories
Timeline
PublishedJun 14

Description

Nextcloud Server is a self hosted personal cloud system. A malicious user was able to send delete requests for old versions of files they only got shared with read permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:LExploitability: 2.1 | Impact: 1.4

Affected Packages2 packages

NVDnextcloud/nextcloud_server25.0.025.0.13.7+3
CVEListV5nextcloud/security-advisories>= 26.0.0, < 26.0.13, >= 27.0.0, < 27.1.8, >= 28.0.0, < 28.0.4+2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Nextcloud Server's users can delete old versions of read-only shared files2024-06-14
CVE-2024-37884 (MEDIUM CVSS 5.4) | Nextcloud Server is a self hosted p | cvebase.io