CVE-2024-37887
LOWNextcloud Server 27.0.0-27.1.9 - Improper Access Control in Shared Calendar Recurrence Exceptions
Title source: llmDescription
Nextcloud Server is a self hosted personal cloud system. Private shared calendar events' recurrence exceptions can be read by sharees. It is recommended that the Nextcloud Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1 and that the Nextcloud Enterprise Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h4xv-cjpm-j595
Patch x_refsource_misc
https://github.com/nextcloud/server/pull/45309
Issue Tracking x_refsource_misc
https://hackerone.com/reports/2479325
Scores
CVSS v3
3.5
EPSS
0.0053
EPSS Percentile
67.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-284
Status
published
Products (2)
nextcloud/nextcloud_server
29.0.0 (2 CPE variants)
nextcloud/nextcloud_server
27.0.0 - 27.1.10 (2 CPE variants)
Published
Jun 14, 2024
Tracked Since
Feb 18, 2026