CVE-2021-37630
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Nextcloud Circles is an open source social network built for the nextcloud ecosystem. In affected versions the Nextcloud Circles application allowed any user to join any "Secret Circle" without approval by the Circle owner leaking private information. It is recommended that Nextcloud Circles is upgraded to 0.19.15, 0.20.11 or 0.21.4. There are no workarounds for this issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| nextcloud | security-advisories | < 0.19.15 | affected |
| nextcloud | security-advisories | >= 0.20.0, < 0.20.11 | affected |
| nextcloud | security-advisories | >= 0.21.0, < 0.21.4 | affected |
Weaknesses
- CWE-639: CWE-639: Authorization Bypass Through User-Controlled Key
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-56j9-3rj4-wvgm
- https://github.com/nextcloud/circles/pull/768
- https://hackerone.com/reports/1257624
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-56j9-3rj4-wvgm
- https://github.com/nextcloud/circles/pull/768
- https://hackerone.com/reports/1257624
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.