CVE-2021-39225
Last modified
CVE-2021-39225 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. Nextcloud is an open-source, self-hosted productivity platform. A missing permission check in Nextcloud Deck before 1.2.9, 1.4.5 and 1.5.3 allows another authenticated users to access Deck cards of another user. EPSS estimates a 1.29% chance of exploitation in the next 30 days.
Description
Nextcloud is an open-source, self-hosted productivity platform. A missing permission check in Nextcloud Deck before 1.2.9, 1.4.5 and 1.5.3 allows another authenticated users to access Deck cards of another user. It is recommended that the Nextcloud Deck App is upgraded to 1.2.9, 1.4.5 or 1.5.3. There are no known workarounds aside from upgrading.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Deck | < 1.2.9 |
| Nextcloud | Deck | >= 1.3.0, < 1.4.5 |
| Nextcloud | Deck | >= 1.5.0, < 1.5.3 |
References
- https://github.com/nextcloud/deck/pull/3316Patch, Third Party Advisory
- https://hackerone.com/reports/1331728Permissions Required, Third Party Advisory
- https://github.com/nextcloud/deck/pull/3316Patch, Third Party Advisory
- https://hackerone.com/reports/1331728Permissions Required, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-39225?
How severe is CVE-2021-39225?
How do I fix CVE-2021-39225?
Are you affected by CVE-2021-39225?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST