CVE-2022-29159

Published: May 20, 2022Modified: Nov 21, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud. In versions prior to 1.4.8, 1.5.6, and 1.6.1, an authenticated user can move stacks with cards from their own board to a board of another user. The Nextcloud Deck app contains a patch for this issue in versions 1.4.8, 1.5.6, and 1.6.1. There are no known currently-known workarounds available.

Affected (3)

Products: Nextcloud: Deck

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Nextcloud Deck	Before 1.4.8
Nextcloud Deck	From 1.5.0 to 1.5.6
Nextcloud Deck	From 1.6.0 to 1.6.1

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (6)

https://github.com/nextcloud/deck/pull/3541

Source: security-advisories@github.com

Issue TrackingPatchThird Party Advisory

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vqhf-673w-7r3j

Source: security-advisories@github.com

ExploitIssue TrackingThird Party Advisory

https://hackerone.com/reports/1450117

Source: security-advisories@github.com

ExploitIssue TrackingThird Party Advisory

https://github.com/nextcloud/deck/pull/3541

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vqhf-673w-7r3j

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

https://hackerone.com/reports/1450117

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

Timeline

No history available yet.