PT-2021-21745 · Nextcloud · Nextcloud Circles

Bm402

Published

2021-09-07

Updated

2021-09-14

CVE-2021-37630

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Nextcloud Circles versions prior to 0.19.15 Nextcloud Circles versions prior to 0.20.11 Nextcloud Circles versions prior to 0.21.4

Description The Nextcloud Circles application allowed any user to join any "Secret Circle" without approval by the Circle owner, potentially leaking private information.

Recommendations For versions prior to 0.19.15, upgrade to 0.19.15. For versions prior to 0.20.11, upgrade to 0.20.11. For versions prior to 0.21.4, upgrade to 0.21.4. As a temporary workaround, consider restricting access to "Secret Circles" until the issue is resolved.

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-639

Related Identifiers

CVE-2021-37630

GHSA-56J9-3RJ4-WVGM

Affected Products

Nextcloud Circles

PT-2021-21745 · Nextcloud · Nextcloud Circles

CVE-2021-37630

Weakness Enumeration

Related Identifiers

Affected Products

References · 6