CVE-2024-37884
LOWNextcloud Server 25.0.0-25.0.13.6 and 26.0.0-26.0.12 - Authenticated Improper Access Control via File Version Deletion
Title source: llmDescription
Nextcloud Server is a self hosted personal cloud system. A malicious user was able to send delete requests for old versions of files they only got shared with read permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3.
References (3)
Core 3
Core References
Issue Tracking x_refsource_misc
https://hackerone.com/reports/2290680
Vendor Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwgx-f37p-xh8c
Patch x_refsource_misc
https://github.com/nextcloud/server/pull/43727
Scores
CVSS v3
3.5
EPSS
0.0015
EPSS Percentile
35.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-284
Status
published
Products (2)
nextcloud/nextcloud_server
25.0.0 - 25.0.13.7
nextcloud/nextcloud_server
26.0.0 - 26.0.13
Published
Jun 14, 2024
Tracked Since
Feb 18, 2026