CVE-2024-37887

LOW

Nextcloud Server < 27.1.10 - Improper Access Control

Title source: rule

Description

Nextcloud Server is a self hosted personal cloud system. Private shared calendar events' recurrence exceptions can be read by sharees. It is recommended that the Nextcloud Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1 and that the Nextcloud Enterprise Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1.

References (3)

[Vendor Advisory] https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h4xv-cjpm-j595

[Patch] https://github.com/nextcloud/server/pull/45309

[Issue Tracking] https://hackerone.com/reports/2479325

Scores

CVSS v3 3.5

EPSS 0.0053

EPSS Percentile 66.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Classification

CWE

CWE-284

Status published

Affected Products (4)

nextcloud/nextcloud_server < 27.1.10

nextcloud/nextcloud_server

Timeline

Published Jun 14, 2024

Tracked Since Feb 18, 2026