Description
Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud. In versions prior to 1.4.8, 1.5.6, and 1.6.1, an authenticated user can move stacks with cards from their own board to a board of another user. The Nextcloud Deck app contains a patch for this issue in versions 1.4.8, 1.5.6, and 1.6.1. There are no known currently-known workarounds available.
References (3)
Core 3
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vqhf-673w-7r3j
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/nextcloud/deck/pull/3541
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1450117
Scores
CVSS v3
5.0
EPSS
0.0018
EPSS Percentile
38.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-639
Status
published
Products (1)
nextcloud/deck
< 1.4.8
Published
May 20, 2022
Tracked Since
Feb 18, 2026