PT-2024-19393 · Nextcloud · Nextcloud Guests App
Ry0Tak
·
Published
2024-01-18
·
Updated
2024-01-26
·
CVE-2024-22402
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Nextcloud guests app versions prior to 2.4.1
Nextcloud guests app versions prior to 2.5.1
Nextcloud guests app versions prior to 3.0.1
Description
The Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions, users were able to load the first page of apps they were actually not allowed to access. Depending on the selection of apps installed, this may present a permissions bypass.
Recommendations
For versions prior to 2.4.1, upgrade to 2.4.1.
For versions prior to 2.5.1, upgrade to 2.5.1.
For versions prior to 3.0.1, upgrade to 3.0.1.
As a temporary workaround, consider restricting access to sensitive apps until the Guests app is upgraded.
Exploit
Fix
Improper Preservation of Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nextcloud Guests App