PT-2024-4380 · Nextcloud+2 · Nextcloud Server+3
Section1
·
Published
2024-06-14
·
Updated
2025-01-24
·
CVE-2024-37887
CVSS v2.0
4.0
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Nextcloud Server versions prior to 27.1.10
Nextcloud Server versions prior to 28.0.6
Nextcloud Server versions prior to 29.0.1
Nextcloud Enterprise Server versions prior to 27.1.10
Nextcloud Enterprise Server versions prior to 28.0.6
Nextcloud Enterprise Server versions prior to 29.0.1
Description
The issue is related to incorrect access control in the Calendar component of Nextcloud Server, allowing sharees to read private shared calendar events' recurrence exceptions. This can enable a remote attacker to access confidential information.
Recommendations
For Nextcloud Server versions prior to 27.1.10, upgrade to version 27.1.10 or later.
For Nextcloud Server versions prior to 28.0.6, upgrade to version 28.0.6 or later.
For Nextcloud Server versions prior to 29.0.1, upgrade to version 29.0.1 or later.
For Nextcloud Enterprise Server versions prior to 27.1.10, upgrade to version 27.1.10 or later.
For Nextcloud Enterprise Server versions prior to 28.0.6, upgrade to version 28.0.6 or later.
For Nextcloud Enterprise Server versions prior to 29.0.1, upgrade to version 29.0.1 or later.
Exploit
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Nextcloud Enterprise Server
Nextcloud Server
Red Os