Lucene search

GitHub_MCVE-2024-22213

HistoryJan 18, 2024 - 8:15 p.m.

CVE-2024-22213

2024-01-1820:15:08

CWE-79

GitHub_M

web.nvd.nist.gov

deck

kanban

organization

nextcloud

project

planning

security vulnerability

cve-2024-22213

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

20.0%

JSON

Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. In affected versions users could be tricked into executing malicious code that would execute in their browser via HTML sent as a comment. It is recommended that the Nextcloud Deck is upgraded to version 1.9.5 or 1.11.2. There are no known workarounds for this vulnerability.

Affected configurations

Nvd

Vulners

Node

nextclouddeckRange1.9.0–1.9.5

nextclouddeckRange1.10.0–1.11.2

VendorProductVersionCPE
nextclouddeck*cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nextcloud	deck	*	cpe:2.3:a:nextcloud:deck::::::::

CNA Affected

[
  {
    "vendor": "nextcloud",
    "product": "security-advisories",
    "versions": [
      {
        "version": ">= 1.9.0, < 1.9.5",
        "status": "affected"
      },
      {
        "version": ">= 1.10.0, < 1.11.2",
        "status": "affected"
      }
    ]
  }
]

References

github.com/nextcloud/deck/commit/91f1557362047f8840f53151f176b80148650bcd

github.com/nextcloud/security-advisories/security/advisories/GHSA-mg7w-x9fm-9wwc

hackerone.com/reports/2058556

Social References