4.3

CVE-2024-52507

Share information of the Nextcloud Tables app is not limited to affected users

Share information of Tables app is not limited to affected users

Nextcloud Tables allows users to to create tables with individual columns. The information which Table (numeric ID) is shared with which groups and users and the respective permissions was not limited to affected users. It is recommended that the Nextcloud Tables app is upgraded to 0.8.1.
Mögliche Gegenmaßnahme
Tables: * Disable app tables
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NextcloudTables SwPlatformnextcloud Version >= 0.3.0 < 0.8.1
Weitere Schwachstelleninformationen
SystemNextcloud App
Produkt Tables
Version >= 0.3.0, < 0.8.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.41% 0.324
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
security-advisories@github.com 3.5 2.1 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-rgvc-xr2w-qq45
Vendor Advisory
https://github.com/nextcloud/tables/commit/13ca45f1b9f70f694aea81b78bc7416ec840c332
Patch
https://github.com/nextcloud/tables/pull/1406
Issue Tracking
https://hackerone.com/reports/2705507
Issue Tracking
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-rgvc-xr2w-qq45
Third Party Advisory