Skip to content

Missing permission check on Deck API

High
LukasReschke published GHSA-2x96-38qg-3m72 Oct 25, 2021

Package

Deck (Nextcloud)

Affected versions

< 1.2.9, < 1.4.5, < 1.5.3

Patched versions

1.2.9, 1.4.5, 1.5.3

Description

Impact

A missing permission check in Nextcloud Deck before 1.2.9, 1.4.5 and 1.5.3 allows another authenticated users to access Deck cards of another user.

Patches

It is recommended that the Nextcloud Deck App is upgraded to 1.2.9, 1.4.5 or 1.5.3.

Workarounds

None.

References

For more information

If you have any questions or comments about this advisory:

Severity

High

CVE ID

CVE-2021-39225

Weaknesses