4.3

CVE-2022-24906

Exploit

Error in deleting deck cards attachment reveals the full application path in Nextcloud Deck

Error in deleting deck cards attachment reveals the full application path

Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud, similar to Trello. The full path of the application is exposed to unauthorized users. It is recommended that the Nextcloud Deck app is upgraded to 1.2.11, 1.4.6, or 1.5.4. There is no workaround available.
Mögliche Gegenmaßnahme
Deck: No workaround available
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NextcloudDeck Version < 1.2.11
NextcloudDeck Version >= 1.4.0 < 1.4.6
NextcloudDeck Version >= 1.5.0 < 1.5.4
Weitere Schwachstelleninformationen
SystemNextcloud App
Produkt Deck
Version >= 0.0.0, < 1.2.11
Version >= 1.4.0, < 1.4.6
Version >= 1.5.0, < 1.5.4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.27% 0.5
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov 4 8 2.9
AV:N/AC:L/Au:S/C:P/I:N/A:N
security-advisories@github.com 3.5 2.1 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-209 Generation of Error Message Containing Sensitive Information

The product generates an error message that includes sensitive information about its environment, users, or associated data.

https://github.com/nextcloud/deck/pull/3384
Patch
Third Party Advisory
Issue Tracking
https://hackerone.com/reports/1354334
Third Party Advisory
Exploit
Issue Tracking