PT-2021-21746 · Nextcloud · Nextcloud Deck

Bm402

Published

2021-09-07

Updated

2021-09-14

CVE-2021-37631

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Nextcloud Deck versions prior to 1.5.1 Nextcloud Deck versions prior to 1.4.4 Nextcloud Deck versions prior to 1.2.9

Description The Deck application didn't properly check membership of users in a Circle. This allowed other users in the instance to gain access to boards that have been shared with a Circle, even if the user was not a member of the circle.

Recommendations For versions prior to 1.5.1, upgrade to 1.5.1. For versions prior to 1.4.4, upgrade to 1.4.4. For versions prior to 1.2.9, upgrade to 1.2.9. If you are unable to update, disable the Deck plugin.

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-639

Related Identifiers

CVE-2021-37631

GHSA-4MXP-J277-82HR

Affected Products

Nextcloud Deck

PT-2021-21746 · Nextcloud · Nextcloud Deck

CVE-2021-37631

Weakness Enumeration

Related Identifiers

Affected Products

References · 7