Bm402

**Name of the Vulnerable Software and Affected Versions** Nextcloud Circles versions prior to 0.19.15 Nextcloud Circles versions prior to 0.20.11 Nextcloud Circles versions prior to 0.21.4 **Description** The Nextcloud Circles application allowed any user to join any "Secret Circle" without approval by the Circle owner, potentially leaking private information. **Recommendations** For versions prior to 0.19.15, upgrade to 0.19.15. For versions prior to 0.20.11, upgrade to 0.20.11. For versions prior to 0.21.4, upgrade to 0.21.4. As a temporary workaround, consider restricting access to "Secret Circles" until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Deck versions prior to 1.5.1 Nextcloud Deck versions prior to 1.4.4 Nextcloud Deck versions prior to 1.2.9 **Description** The Deck application didn't properly check membership of users in a Circle. This allowed other users in the instance to gain access to boards that have been shared with a Circle, even if the user was not a member of the circle. **Recommendations** For versions prior to 1.5.1, upgrade to 1.5.1. For versions prior to 1.4.4, upgrade to 1.4.4. For versions prior to 1.2.9, upgrade to 1.2.9. If you are unable to update, disable the Deck plugin.