CVE-2024-37884 – Nextcloud Server's users can delete old versions of read-only shared files
https://notcve.org/view.php?id=CVE-2024-37884
Nextcloud Server is a self hosted personal cloud system. A malicious user was able to send delete requests for old versions of files they only got shared with read permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3. Nextcloud Server es un sistema de nube personal autohospedado. Un usuario malintencionado pudo enviar solicitudes de eliminación de versiones antiguas de archivos que solo compartieron con permisos de lectura. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwgx-f37p-xh8c https://github.com/nextcloud/server/pull/43727 https://hackerone.com/reports/2290680 • CWE-284: Improper Access Control •
CVE-2024-37883 – Nextcloud Deck can access comments and attachments of deleted cards
https://notcve.org/view.php?id=CVE-2024-37883
Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. A user with access to a deck board was able to access comments and attachments of already deleted cards. It is recommended that the Nextcloud Deck app is upgraded to 1.6.6 or 1.7.5 or 1.8.7 or 1.9.6 or 1.11.3 or 1.12.1. Nextcloud Deck es una herramienta de organización estilo kanban destinada a la planificación personal y organización de proyectos para equipos integrada con Nextcloud. Un usuario con acceso a un tablero pudo acceder a comentarios y archivos adjuntos de tarjetas ya eliminadas. • https://github.com/nextcloud/deck/pull/5423 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x45g-vx69-r9m8 https://hackerone.com/reports/2289333 • CWE-284: Improper Access Control •
CVE-2024-37317 – Nextcloud Notes app can be tricked into using a received share created before the user logged in
https://notcve.org/view.php?id=CVE-2024-37317
The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed to share a folder called `Notes/` with a newly created user before they logged in, the Notes app would use that folder store the personal notes. It is recommended that the Nextcloud Notes app is upgraded to 4.9.3. La aplicación Nextcloud Notes es una aplicación para tomar notas sin distracciones para Nextcloud. Si un atacante lograba compartir una carpeta llamada `Notas/` con un usuario recién creado antes de iniciar sesión, la aplicación Notas usaría esa carpeta para almacenar las notas personales. • https://github.com/nextcloud/notes/pull/1260 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wfqv-cx85-7rjx https://hackerone.com/reports/2254151 • CWE-284: Improper Access Control •
CVE-2024-37316 – Nextcloud Calendar's event create can create attachments that link to other websites
https://notcve.org/view.php?id=CVE-2024-37316
Nextcloud Calendar is a calendar app for Nextcloud. Authenticated users could create an event with manipulated attachment data leading to a bad redirect for participants when clicked. It is recommended that the Nextcloud Calendar App is upgraded to 4.6.8 or 4.7.2. Nextcloud Calendar es una aplicación de calendario para Nextcloud. Los usuarios autenticados podrían crear un evento con datos adjuntos manipulados que provoquen una mala redirección para los participantes cuando se haga clic en ellos. • https://github.com/nextcloud/calendar/pull/5966 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2r7q-vfmv-79qf https://hackerone.com/reports/2457588 • CWE-241: Improper Handling of Unexpected Data Type •
CVE-2024-37315 – Nextcloud Server's read-only users can restore old versions
https://notcve.org/view.php?id=CVE-2024-37315
Nextcloud Server is a self hosted personal cloud system. An attacker with read-only access to a file is able to restore older versions of a document when the files_versions app is enabled. It is recommended that the Nextcloud Server is upgraded to 26.0.12, 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 23.0.12.16, 24.0.12.12, 25.0.13.6, 26.0.12, 27.1.7 or 28.0.3. Nextcloud Server es un sistema de nube personal autohospedado. Un atacante con acceso de solo lectura a un archivo puede restaurar versiones anteriores de un documento cuando la aplicación files_versions está habilitada. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5mq8-738w-5942 https://github.com/nextcloud/server/pull/43727 https://hackerone.com/reports/1356508 • CWE-284: Improper Access Control •