Lucene search

GitHub_MCVELIST:CVE-2024-37314

HistoryJun 14, 2024 - 3:05 p.m.

CVE-2024-37314 Nextcloud Photos' shared albums have no restriction on photo removal

2024-06-1415:05:48

CWE-284

GitHub_M

www.cve.org

nextcloud photos

shared albums

photo removal

unrestricted

upgrade

nextcloud server

nextcloud enterprise server

3.5 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

0.0004 Low

EPSS

Percentile

15.5%

JSON

Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2.

CNA Affected

[
  {
    "vendor": "nextcloud",
    "product": "security-advisories",
    "versions": [
      {
        "version": ">= 25.0.1, < 25.0.7",
        "status": "affected"
      },
      {
        "version": ">= 26.0.0, < 26.0.2",
        "status": "affected"
      }
    ]
  }
]

References

github.com/nextcloud/photos/pull/1749

github.com/nextcloud/security-advisories/security/advisories/GHSA-9chh-5prm-wp43

hackerone.com/reports/1946298

3.5 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

0.0004 Low

EPSS

Percentile

15.5%

JSON

Related for CVELIST:CVE-2024-37314