Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-39225

Nextcloud is an open-source, self-hosted productivity platform. A missing permission check in Nextcloud Deck before 1.2.9, 1.4.5 and 1.5.3 allows another authenticated users to access Deck cards of another user. It is recommended that the Nextcloud Deck App is upgraded to 1.2.9, 1.4.5 or 1.5.3. There are no known workarounds aside from upgrading.

Published

2021-10-25T22:15:07.647

Last Modified

2024-11-21T06:18:57.023

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.1 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

4.9

Weaknesses

Type: Secondary
CWE-639
Type: Primary
CWE-862

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	deck	< 1.2.9	Yes
Application	nextcloud	deck	< 1.4.5	Yes
Application	nextcloud	deck	< 1.5.3	Yes

References

https://github.com/nextcloud/deck/pull/3316 Patch, Third Party Advisory ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2x96-38qg-3m72 Third Party Advisory ([email protected])
https://hackerone.com/reports/1331728 Permissions Required, Third Party Advisory ([email protected])
https://github.com/nextcloud/deck/pull/3316 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2x96-38qg-3m72 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1331728 Permissions Required, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)