CVE-2024-37317

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-37317

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-37317.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-37317

Aliases

GHSA-wfqv-cx85-7rjx

Published

2024-06-14T15:25:24Z

Modified

2025-11-04T20:24:21.015933Z

Severity

4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L CVSS Calculator

Summary

Nextcloud Notes app can be tricked into using a received share created before the user logged in

Details

The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed to share a folder called Notes/ with a newly created user before they logged in, the Notes app would use that folder store the personal notes. It is recommended that the Nextcloud Notes app is upgraded to 4.9.3.

Database specific

{
    "cwe_ids": [
        "CWE-284"
    ]
}

References

Affected packages

Git / github.com/nextcloud/notes

Affected ranges

Type: GIT
Repo: https://github.com/nextcloud/notes
Events: Introduced

75c6794aa8b1ef986f6f5af5d3f4408ac08c8a1d

Fixed

1b82bd59d558733f2dc459d471eb0fd0f48bd98d

Affected versions

v4.*

v4.6.0

v4.7.0

v4.7.1

v4.7.2

v4.8.0

v4.8.0-beta.1

v4.8.0-beta.2

v4.8.1

v4.9.0

v4.9.0-beta.1

v4.9.0-beta.2

v4.9.0-beta.3

v4.9.1

v4.9.2