Vulnerability DatabaseCVE-2024-37312
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-37312
June 14, 2024
user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to 3.0.0 (Nextcloud 20-23), 4.0.0 (Nexcloud 24) or 5.0.0 (Nextcloud 25-28).
Related ResourcesĀ (3)
https://hackerone.com/reports/2376929
https://github.com/nextcloud/user_oidc/commit/9f68a716ecd264160a7c098b8840313f1ac855f2
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vw7g-959g-vj6q
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.3
Attack Vector
ADJACENT
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW
Weakness Type (CWE)
Improper Access Control
CWE-284
EPSS
Base Score:
0.47