Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-22402

Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions users were able to load the first page of apps they were actually not allowed to access. Depending on the selection of apps installed this may present a permissions bypass. It is recommended that the Guests app is upgraded to 2.4.1, 2.5.1 or 3.0.1. There are no known workarounds for this vulnerability.

Published

2024-01-18T21:15:08.590

Last Modified

2024-11-21T08:56:12.680

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.4 (MEDIUM)

Weaknesses

Type: Primary
CWE-281

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	guests	< 2.4.1	Yes
Application	nextcloud	guests	2.5.0	Yes
Application	nextcloud	guests	3.0.0	Yes

References

https://github.com/nextcloud/guests/pull/1082 Patch, Vendor Advisory ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v3qw-7vgv-2fxj Vendor Advisory ([email protected])
https://hackerone.com/reports/2251074 Permissions Required, Third Party Advisory ([email protected])
https://github.com/nextcloud/guests/pull/1082 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v3qw-7vgv-2fxj Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/2251074 Permissions Required, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)