CVE-2024-22401 MEDIUM

CVE-2024-22401: All users can reset the allowed apps list for Nextcloud Guest App users

Vendor Nextcloud
Product security-advisories
Weakness CWE-281
Published January 18, 2024
Last update October 21, 2024

CVSS base score

4.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions users could change the allowed list of apps, allowing them to use apps that were not intended to be used. It is recommended that the Guests app is upgraded to 2.4.1, 2.5.1 or 3.0.1. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

January 18, 2024 CVE published
October 21, 2024 Record updated