4.6
CVE-2024-37317
- EPSS 0.14%
- Veröffentlicht 14.06.2024 16:15:11
- Zuletzt bearbeitet 21.11.2024 09:23:35
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginNextcloud Notes app can be tricked into using a received share created before the user logged in
Notes app can be tricked into using a received share created before the user logged in
The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed to share a folder called `Notes/` with a newly created user before they logged in, the Notes app would use that folder store the personal notes. It is recommended that the Nextcloud Notes app is upgraded to 4.9.3.
Mögliche Gegenmaßnahme
Notes: * Disable Notes app
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.14% | 0.331 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.6 | 2.1 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
|
| security-advisories@github.com | 4.6 | 1.2 | 3.4 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
|
CWE-284 Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.