CVE-2024-37314: Nextcloud Photos' shared albums have no restriction on photo removal
First published: Fri Jun 14 2024(Updated: )
Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nextcloud Server | >=25.0.0<25.0.7 | |
| Nextcloud Server | >=26.0.0<26.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-37314?
CVE-2024-37314 has been classified as a medium severity vulnerability.
How do I fix CVE-2024-37314?
To resolve CVE-2024-37314, upgrade Nextcloud Server to version 25.0.7 or 26.0.2.
Which versions of Nextcloud are affected by CVE-2024-37314?
CVE-2024-37314 affects Nextcloud Server versions prior to 25.0.7 and 26.0.2.
Can unregistered users remove photos in Nextcloud due to CVE-2024-37314?
Yes, CVE-2024-37314 allows users to remove photos from the albums of registered users.
Is the Nextcloud Enterprise Server affected by CVE-2024-37314?
Yes, the Nextcloud Enterprise Server is also affected by CVE-2024-37314 and should be upgraded to 25.0.7 or 26.0.2.
- agent/references
- agent/title
- agent/type
- agent/description
- agent/first-publish-date
- agent/author
- agent/severity
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/last-modified-date
- agent/weakness
- agent/softwarecombine
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/nextcloud
- canonical/nextcloud server
- version/nextcloud server/25.0.0
- version/nextcloud server/26.0.0