Description
Nextcloud is an open-source, self-hosted productivity platform. A missing permission check in Nextcloud Deck before 1.2.9, 1.4.5 and 1.5.3 allows another authenticated users to access Deck cards of another user. It is recommended that the Nextcloud Deck App is upgraded to 1.2.9, 1.4.5 or 1.5.3. There are no known workarounds aside from upgrading.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2x96-38qg-3m72
Patch, Third Party Advisory x_refsource_misc
https://github.com/nextcloud/deck/pull/3316
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1331728
Scores
CVSS v3
8.1
EPSS
0.0036
EPSS Percentile
58.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-639
CWE-862
Status
published
Products (1)
nextcloud/deck
< 1.2.9
Published
Oct 25, 2021
Tracked Since
Feb 18, 2026