PT-2024-19392 · Nextcloud · Nextcloud Guests App
Ry0Tak
·
Published
2024-01-18
·
Updated
2024-01-26
·
CVE-2024-22401
CVSS v3.1
4.1
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Nextcloud Guests app versions prior to 2.4.1
Nextcloud Guests app versions prior to 2.5.1
Nextcloud Guests app versions prior to 3.0.1
Description
The Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions, users could change the allowed list of apps, allowing them to use apps that were not intended to be used.
Recommendations
For versions prior to 2.4.1, upgrade to 2.4.1.
For versions prior to 2.5.1, upgrade to 2.5.1.
For versions prior to 3.0.1, upgrade to 3.0.1.
As a temporary workaround, consider restricting access to the
allowed list of apps until a patch is available.Exploit
Fix
Improper Preservation of Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nextcloud Guests App