CVE-2024-37884: Nextcloud Server's users can delete old versions of read-only shared files
First published: Fri Jun 14 2024(Updated: )
Nextcloud Server is a self hosted personal cloud system. A malicious user was able to send delete requests for old versions of files they only got shared with read permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nextcloud Nextcloud Server | >=25.0.0<25.0.13.7 | |
| Nextcloud Nextcloud Server | >=26.0.0<26.0.13 | |
| Nextcloud Nextcloud Server | >=26.0.0<26.0.13 | |
| Nextcloud Nextcloud Server | >=27.0.0<27.1.8 | |
| Nextcloud Nextcloud Server | >=27.0.0<27.1.8 | |
| Nextcloud Nextcloud Server | >=28.0.0<28.0.4 | |
| Nextcloud Nextcloud Server | >=28.0.0<28.0.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/weakness
- agent/title
- agent/references
- agent/type
- agent/description
- agent/first-publish-date
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/severity
- agent/remedy
- agent/last-modified-date
- agent/tags
- agent/softwarecombine
- vendor/nextcloud
- canonical/nextcloud nextcloud server
- version/nextcloud nextcloud server/25.0.0
- version/nextcloud nextcloud server/26.0.0
- version/nextcloud nextcloud server/27.0.0
- version/nextcloud nextcloud server/28.0.0