Secret Circle can be joined without approval

Moderate

LukasReschke published GHSA-56j9-3rj4-wvgm

Sep 6, 2021

Package

Nextcloud Circles

Affected versions

< 0.19.15, < 0.20.11, < 0.21.4

Patched versions

0.19.15, 0.20.11, 0.21.4

Description

Impact

The Nextcloud Circles application allowed any user to join any "Secret Circle" without approval by the Circle owner.

Patches

It is recommended that Nextcloud Circles is upgraded to 0.19.15, 0.20.11 or 0.21.4.

Workarounds

None.

References

For more information

If you have any questions or comments about this advisory:

Create a post in nextcloud/security-advisories
Customers: Open a support ticket at support.nextcloud.com