CVE-2024-37317: Nextcloud Notes app can be tricked into using a received share created before the user logged in
First published: Fri Jun 14 2024(Updated: )
The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed to share a folder called `Notes/` with a newly created user before they logged in, the Notes app would use that folder store the personal notes. It is recommended that the Nextcloud Notes app is upgraded to 4.9.3.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nextcloud Notes | >=4.6.0<4.9.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-37317?
The severity of CVE-2024-37317 is considered moderate due to the potential for unauthorized access to personal notes stored in the Nextcloud Notes app.
How do I fix CVE-2024-37317?
To fix CVE-2024-37317, it is recommended to upgrade the Nextcloud Notes app to a version later than 4.9.3.
Who is affected by CVE-2024-37317?
Users of Nextcloud Notes versions between 4.6.0 and 4.9.3 are affected by CVE-2024-37317.
What is the impact of CVE-2024-37317?
The impact of CVE-2024-37317 could allow attackers to gain access to personal notes if a folder is improperly shared before user login.
Is there a workaround for CVE-2024-37317?
A workaround for CVE-2024-37317 includes ensuring that folders are not shared with new users until after they have logged in.
- agent/references
- agent/title
- agent/description
- agent/first-publish-date
- agent/type
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/severity
- agent/remedy
- agent/weakness
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/source
- vendor/nextcloud
- canonical/nextcloud notes
- version/nextcloud notes/4.6.0