12 matches found
CVE-2022-24906
CVE-2022-24906 affects Nextcloud Deck: an error in deleting deck card attachments reveals the full application path to unauthorized users. Documented impact is information disclosure (full path). Affected product: Nextcloud Deck (Nextcloud app); vulnerable component: deck attachment deletion flow...
CVE-2023-22470
CVE-2023-22470 affects Nextcloud Deck (kanban tool) used with Nextcloud. The vulnerability is a database error that can be exploited to cause a denial of service when the action is repeated; no specific exploitation steps are provided in the documents. Impact is described as potential DoS with mu...
CVE-2023-22471
CVE-2023-22471 affects Nextcloud Deck (Nextcloud Deck app) and is caused by broken access control that allows a user to delete attachments of other users. Public docs list vulnerable versions: Deck app prior to 1.6.5, prior to 1.7.3, and prior to 1.8.2. Impact is deletion of attachments across ca...
CVE-2023-22469
CVE-2023-22469 affects Nextcloud Deck (Deck app for Nextcloud), where unauthorized users can access cached data when obtaining a reference preview for a Deck card to which they have no access. Root cause is leakage via the reference preview cache, enabling data exposure of another user’s cards. A...
CVE-2022-29159
CVE-2022-29159 affects Nextcloud Deck (Kanban tool for Nextcloud). In versions prior to 1.4.8, 1.5.6, and 1.6.1, an authenticated user can move stacks with cards from their own board to another user’s board (an IDOR-like issue). A patch exists in Deck versions 1.4.8, 1.5.6, and 1.6.1. Public deta...
CVE-2019-15619
CVE-2019-15619 affects Nextcloud Suite components: Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3, and Nextcloud Deck 0.6.5. The root cause is improper neutralization of file names, conversation names and board names, leading to cross-site scripting when linking these items within a project. Docum...
CVE-2020-8297
CVE-2020-8297 affects Nextcloud Deck prior to 1.0.2, with an insecure direct object reference (IDOR) that lets a user with a duplicate username access deck data belonging to a previously deleted user. The issue stems from access control handling in the Deck app and is confirmed by multiple source...
CVE-2020-8179
CVE-2020-8179 affects Nextcloud Deck 1.0.0. The root cause is an improper access control in the deck task/move flow: updating a card’s stackId via /apps/deck/cards/{id} does not enforce that the destination belongs to the requester, allowing an attacker to inject tasks into another user’s deck. T...
CVE-2021-39225
The CVE-2021-39225 entry covers a missing permission check in Nextcloud Deck prior to versions 1.2.9, 1.4.5 and 1.5.3, enabling an authenticated user to read deck cards belonging to another user. Affected product: Nextcloud Deck (Nextcloud app). Root cause: insufficient authorization for access t...
CVE-2021-37631
CVE-2021-37631 affects Nextcloud Deck. The vulnerability arises from improper checking of Circle membership, allowing non-circle members to access boards shared with a Circle. Affected software is Deck (Nextcloud integration); multiple sources (Red Hat, CNVD, OSV, CVE list, GHSA advisory) consist...
CVE-2021-22913
Nextcloud Deck prior to 1.2.7 and 1.4.1 is affected by an information disclosure vulnerability where searches for sharees are sent to the lookup server by default instead of the local Nextcloud server, unless a global search is explicitly chosen. The underlying issue is that the search requests a...
CVE-2025-66548
The Nextcloud Deck app allows spoofing file extensions by using RTLO characters, causing a mismatch between the displayed and actual extension. Affected versions are prior to 1.12.7, 1.14.4, and 1.15.1; fixes are in 1.12.7, 1.14.4, and 1.15.1. Exploitation details are not provided in the supplied...