17 matches found
CVE-2022-24906
CVE-2022-24906 affects Nextcloud Deck: an error in deleting deck card attachments reveals the full application path to unauthorized users. Documented impact is information disclosure (full path). Affected product: Nextcloud Deck (Nextcloud app); vulnerable component: deck attachment deletion flow...
CVE-2023-22471
CVE-2023-22471 affects Nextcloud Deck (Nextcloud Deck app) and is caused by broken access control that allows a user to delete attachments of other users. Public docs list vulnerable versions: Deck app prior to 1.6.5, prior to 1.7.3, and prior to 1.8.2. Impact is deletion of attachments across ca...
CVE-2023-22470
CVE-2023-22470 affects Nextcloud Deck (kanban tool) used with Nextcloud. The vulnerability is a database error that can be exploited to cause a denial of service when the action is repeated; no specific exploitation steps are provided in the documents. Impact is described as potential DoS with mu...
CVE-2023-22469
CVE-2023-22469 affects Nextcloud Deck (Deck app for Nextcloud), where unauthorized users can access cached data when obtaining a reference preview for a Deck card to which they have no access. Root cause is leakage via the reference preview cache, enabling data exposure of another user’s cards. A...
CVE-2022-29159
CVE-2022-29159 affects Nextcloud Deck (Kanban tool for Nextcloud). In versions prior to 1.4.8, 1.5.6, and 1.6.1, an authenticated user can move stacks with cards from their own board to another user’s board (an IDOR-like issue). A patch exists in Deck versions 1.4.8, 1.5.6, and 1.6.1. Public deta...
CVE-2024-22213
CVE-2024-22213 affects Nextcloud Deck (kanban-style app) and enables cross-site scripting via HTML submitted as a comment. The root cause is untrusted HTML execution in the Deck comment flow, allowing malicious code to run in a user’s browser. Affected versions include Deck 1.9.x and 1.10.x lines...
CVE-2019-15619
CVE-2019-15619 affects Nextcloud Suite components: Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3, and Nextcloud Deck 0.6.5. The root cause is improper neutralization of file names, conversation names and board names, leading to cross-site scripting when linking these items within a project. Docum...
CVE-2020-8297
CVE-2020-8297 affects Nextcloud Deck prior to 1.0.2, with an insecure direct object reference (IDOR) that lets a user with a duplicate username access deck data belonging to a previously deleted user. The issue stems from access control handling in the Deck app and is confirmed by multiple source...
CVE-2021-37631
CVE-2021-37631 affects Nextcloud Deck. The vulnerability arises from improper checking of Circle membership, allowing non-circle members to access boards shared with a Circle. Affected software is Deck (Nextcloud integration); multiple sources (Red Hat, CNVD, OSV, CVE list, GHSA advisory) consist...
CVE-2021-39225
The CVE-2021-39225 entry covers a missing permission check in Nextcloud Deck prior to versions 1.2.9, 1.4.5 and 1.5.3, enabling an authenticated user to read deck cards belonging to another user. Affected product: Nextcloud Deck (Nextcloud app). Root cause: insufficient authorization for access t...
CVE-2020-8179
CVE-2020-8179 affects Nextcloud Deck 1.0.0. The root cause is an improper access control in the deck task/move flow: updating a card’s stackId via /apps/deck/cards/{id} does not enforce that the destination belongs to the requester, allowing an attacker to inject tasks into another user’s deck. T...
CVE-2024-37883
CVE-2024-37883 affects Nextcloud Deck (kanban tool integrated with Nextcloud). A user with access to a deck board could access comments and attachments of cards that were already deleted, indicating a disclosure issue due to Deck’s handling of deleted items. Affected versions are prior to upgrade...
CVE-2020-8182
CVE-2020-8182 affects Nextcloud Deck 0.8.0. Root cause: improper access control that permits a user to reshARE boards shared with them with greater permissions than they possess. Documents describe a missing server-side check on per-user sharing permissions, enabling an attacker to alter access (...
CVE-2020-8235
CVE-2020-8235 affects Nextcloud Deck 1.0.4, where missing access control enables an insecure direct object reference to view all attachments. Root cause: inadequate access checks when accessing attachments from the Deck task view, leading to exposure of user-owned files. Public references in the ...
CVE-2021-22913
Nextcloud Deck prior to 1.2.7 and 1.4.1 is affected by an information disclosure vulnerability where searches for sharees are sent to the lookup server by default instead of the local Nextcloud server, unless a global search is explicitly chosen. The underlying issue is that the search requests a...
CVE-2025-66557
Affected software: Nextcloud Deck plugin/app. Vulnerability: A bug in the permission logic allowed users with the "Can share" permission to modify the permissions of other recipients (non-owners). Versions impacted: Pre-1.14.6 and pre-1.15.2. Impact (as stated): Users could alter recipient permis...
CVE-2025-66548
The Nextcloud Deck app allows spoofing file extensions by using RTLO characters, causing a mismatch between the displayed and actual extension. Affected versions are prior to 1.12.7, 1.14.4, and 1.15.1; fixes are in 1.12.7, 1.14.4, and 1.15.1. Exploitation details are not provided in the supplied...