CVE-2024-37883

MEDIUM

Nextcloud Deck < 1.6.6 - Improper Access Control

Title source: rule

Description

Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. A user with access to a deck board was able to access comments and attachments of already deleted cards. It is recommended that the Nextcloud Deck app is upgraded to 1.6.6 or 1.7.5 or 1.8.7 or 1.9.6 or 1.11.3 or 1.12.1.

References (3)

[Patch] https://github.com/nextcloud/deck/pull/5423

[Patch, Third Party Advisory] https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x45g-vx69-r9m8

[Issue Tracking] https://hackerone.com/reports/2289333

Scores

CVSS v3 4.3

EPSS 0.0014

EPSS Percentile 34.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-284

Status published

Affected Products (7)

nextcloud/deck < 1.6.6

nextcloud/deck

Timeline

Published Jun 14, 2024

Tracked Since Feb 18, 2026