Vulnerability CVE-2021-37630
Published: 2021-09-07

Description:
Nextcloud Circles is an open source social network built for the nextcloud ecosystem. In affected versions the Nextcloud Circles application allowed any user to join any "Secret Circle" without approval by the Circle owner leaking private information. It is recommended that Nextcloud Circles is upgraded to 0.19.15, 0.20.11 or 0.21.4. There are no workarounds for this issue.

Type:

CWE-639

 (Authorization Bypass Through User-Controlled Key)

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4/10
2.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Nextcloud -> Circles 

 References:
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-56j9-3rj4-wvgm
https://github.com/nextcloud/circles/pull/768
https://hackerone.com/reports/1257624
Copyright 2024, cxsecurity.com

 

Back to Top