Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-37312

user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to 3.0.0 (Nextcloud 20-23), 4.0.0 (Nexcloud 24) or 5.0.0 (Nextcloud 25-28).

Published

2024-06-14T15:15:51.197

Last Modified

2025-08-14T19:18:22.133

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 6.3 (MEDIUM)

Weaknesses

Type: Secondary
CWE-284
Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	user_oidc	< 5.0.0	Yes

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vw7g-959g-vj6q Vendor Advisory ([email protected])
https://github.com/nextcloud/user_oidc/commit/9f68a716ecd264160a7c098b8840313f1ac855f2 Patch ([email protected])
https://hackerone.com/reports/2376929 Exploit, Third Party Advisory ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vw7g-959g-vj6q Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/user_oidc/commit/9f68a716ecd264160a7c098b8840313f1ac855f2 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/2376929 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)