CVE-2024-37316
Nextcloud Calendar's event create can create attachments that link to other websites
Severity Score
4.6
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
Nextcloud Calendar is a calendar app for Nextcloud. Authenticated users could create an event with manipulated attachment data leading to a bad redirect for participants when clicked. It is recommended that the Nextcloud Calendar App is upgraded to 4.6.8 or 4.7.2.
Nextcloud Calendar es una aplicación de calendario para Nextcloud. Los usuarios autenticados podrían crear un evento con datos adjuntos manipulados que provoquen una mala redirección para los participantes cuando se haga clic en ellos. Se recomienda actualizar la aplicación Calendario de Nextcloud a 4.6.8 o 4.7.2.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-06-05 CVE Reserved
- 2024-06-14 CVE Published
- 2024-08-02 CVE Updated
- 2024-08-20 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-241: Improper Handling of Unexpected Data Type
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://github.com/nextcloud/calendar/pull/5966 | X_refsource_misc | |
| https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2r7q-vfmv-79qf | X_refsource_confirm | |
| https://hackerone.com/reports/2457588 | X_refsource_misc |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Nextcloud Search vendor "Nextcloud" | Security-advisories Search vendor "Nextcloud" for product "Security-advisories" | >= 4.3.0 < 4.6.8 Search vendor "Nextcloud" for product "Security-advisories" and version " >= 4.3.0 < 4.6.8" | en |
Affected
| ||||||
| Nextcloud Search vendor "Nextcloud" | Security-advisories Search vendor "Nextcloud" for product "Security-advisories" | >= 4.7.0 < 4.7.2 Search vendor "Nextcloud" for product "Security-advisories" and version " >= 4.7.0 < 4.7.2" | en |
Affected
| ||||||