MaholliH1:2254151Nextcloud: Notes app can be tricked into using a received share created before the user logged in
4.6 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
6.7 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.7%
Security advisory at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wfqv-cx85-7rjx
Summary:
This vulnerability allowed attackers to access and modify other users’ notes by tricking “Notes App” into using a received share created before the user logged in.
CVE ID:
CVE-2024-37317
Related
4.6 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
6.7 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.7%