CVE-2024-37314

Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2.

CVSS v3 3.5 LOW

3.5^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/photos/pull/1749	Patch
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9chh-5prm-wp43	Vendor Advisory
https://hackerone.com/reports/1946298	Issue Tracking
https://github.com/nextcloud/photos/pull/1749	Patch
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9chh-5prm-wp43	Vendor Advisory
https://hackerone.com/reports/1946298	Issue Tracking

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nextcloud:nextcloud_server::::::::
	cpe:2.3:a:nextcloud:nextcloud_server::::::::

History

No history.

Information

Published : 2024-06-14 15:15

Updated : 2024-11-21 09:23

NVD link : CVE-2024-37314

Mitre link : CVE-2024-37314

CVE.ORG link : CVE-2024-37314

JSON object : View

Products Affected

nextcloud

nextcloud_server

CWE

CWE-284

Improper Access Control

CWE-862

Missing Authorization

{"id": "CVE-2024-37314", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.1}]}, "published": "2024-06-14T15:15:51.697", "references": [{"url": "https://github.com/nextcloud/photos/pull/1749", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9chh-5prm-wp43", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://hackerone.com/reports/1946298", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/photos/pull/1749", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9chh-5prm-wp43", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://hackerone.com/reports/1946298", "tags": ["Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2."}, {"lang": "es", "value": "Nextcloud Photos es una aplicaci\u00f3n de gesti\u00f3n de fotograf\u00edas. Los usuarios pueden eliminar fotos del \u00e1lbum de usuarios registrados. Se recomienda actualizar Nextcloud Server a 25.0.7 o 26.0.2 y Nextcloud Enterprise Server a 25.0.7 o 26.0.2."}], "lastModified": "2024-11-21T09:23:35.537", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "080E81EB-85E3-41B1-A26F-38875D8F7B13", "versionEndExcluding": "25.0.7", "versionStartIncluding": "25.0.0"}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A77EE9B-2C50-4342-8E7A-4DA522FED92D", "versionEndExcluding": "26.0.2", "versionStartIncluding": "26.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}