CVE-2024-37884

Summary

Nextcloud Server is a self hosted personal cloud system. A malicious user was able to send delete requests for old versions of files they only got shared with read permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3.

Affected Software

VendorProductVersion RangeStatus
nextcloudsecurity-advisories>= 26.0.0, < 26.0.13affected
nextcloudsecurity-advisories>= 27.0.0, < 27.1.8affected
nextcloudsecurity-advisories>= 28.0.0, < 28.0.4affected

Weaknesses

  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References