CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37317 – Nextcloud Notes app can be tricked into using a received share created before the user logged in
https://notcve.org/view.php?id=CVE-2024-37317
The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed to share a folder called `Notes/` with a newly created user before they logged in, the Notes app would use that folder store the personal notes. It is recommended that the Nextcloud Notes app is upgraded to 4.9.3. La aplicación Nextcloud Notes es una aplicación para tomar notas sin distracciones para Nextcloud. Si un atacante lograba compartir una carpeta llamada `Notas/` con un usuario recién creado antes de iniciar sesión, la aplicación Notas usaría esa carpeta para almacenar las notas personales. • https://github.com/nextcloud/notes/pull/1260 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wfqv-cx85-7rjx https://hackerone.com/reports/2254151 • CWE-284: Improper Access Control •
CVSS: 4.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-37316 – Nextcloud Calendar's event create can create attachments that link to other websites
https://notcve.org/view.php?id=CVE-2024-37316
Nextcloud Calendar is a calendar app for Nextcloud. Authenticated users could create an event with manipulated attachment data leading to a bad redirect for participants when clicked. It is recommended that the Nextcloud Calendar App is upgraded to 4.6.8 or 4.7.2. Nextcloud Calendar es una aplicación de calendario para Nextcloud. Los usuarios autenticados podrían crear un evento con datos adjuntos manipulados que provoquen una mala redirección para los participantes cuando se haga clic en ellos. • https://github.com/nextcloud/calendar/pull/5966 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2r7q-vfmv-79qf https://hackerone.com/reports/2457588 • CWE-241: Improper Handling of Unexpected Data Type •