Lucene search

[email protected]NVD:CVE-2024-22213

HistoryJan 18, 2024 - 8:15 p.m.

CVE-2024-22213

2024-01-1820:15:08

CWE-79

[email protected]

web.nvd.nist.gov

kanban style organization

project organization

html code execution

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

4.2

Confidence

High

EPSS

0.001

Percentile

20.0%

JSON

Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. In affected versions users could be tricked into executing malicious code that would execute in their browser via HTML sent as a comment. It is recommended that the Nextcloud Deck is upgraded to version 1.9.5 or 1.11.2. There are no known workarounds for this vulnerability.

Affected configurations

Nvd

Node

nextclouddeckRange1.9.0–1.9.5

nextclouddeckRange1.10.0–1.11.2

VendorProductVersionCPE
nextclouddeck*cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nextcloud	deck	*	cpe:2.3:a:nextcloud:deck::::::::

References

github.com/nextcloud/deck/commit/91f1557362047f8840f53151f176b80148650bcd

github.com/nextcloud/security-advisories/security/advisories/GHSA-mg7w-x9fm-9wwc

hackerone.com/reports/2058556