CVE-2024-37312

Published: Jun 14, 2024Modified: Aug 14, 2025

6.3

Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Exploitability: 2.8 / Impact: 3.4

Source: NVD

Description

user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to 3.0.0 (Nextcloud 20-23), 4.0.0 (Nexcloud 24) or 5.0.0 (Nextcloud 25-28).

Affected (1)

Products: Nextcloud: User Oidc

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Nextcloud User Oidc	Before 5.0.0

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (6)

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vw7g-959g-vj6q

Source: security-advisories@github.com

Vendor Advisory

https://github.com/nextcloud/user_oidc/commit/9f68a716ecd264160a7c098b8840313f1ac855f2

Source: security-advisories@github.com

Patch

https://hackerone.com/reports/2376929

Source: security-advisories@github.com

ExploitThird Party Advisory

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vw7g-959g-vj6q

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://github.com/nextcloud/user_oidc/commit/9f68a716ecd264160a7c098b8840313f1ac855f2

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://hackerone.com/reports/2376929

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.