Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-37312

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-14 Jun, 2024 | 14:43
Updated At-02 Aug, 2024 | 03:50
Rejected At-
Credits

Nextcloud user_oidc app's ID4me feature is available even when disabled

user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to 3.0.0 (Nextcloud 20-23), 4.0.0 (Nexcloud 24) or 5.0.0 (Nextcloud 25-28).

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:14 Jun, 2024 | 14:43
Updated At:02 Aug, 2024 | 03:50
Rejected At:
▼CVE Numbering Authority (CNA)
Nextcloud user_oidc app's ID4me feature is available even when disabled

user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to 3.0.0 (Nextcloud 20-23), 4.0.0 (Nexcloud 24) or 5.0.0 (Nextcloud 25-28).

Affected Products
Vendor
Nextcloud GmbHnextcloud
Product
security-advisories
Versions
Affected
  • <= 1.3.6
Problem Types
TypeCWE IDDescription
CWECWE-284CWE-284: Improper Access Control
Type: CWE
CWE ID: CWE-284
Description: CWE-284: Improper Access Control
Metrics
VersionBase scoreBase severityVector
3.16.3MEDIUM
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Version: 3.1
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vw7g-959g-vj6q
x_refsource_CONFIRM
https://github.com/nextcloud/user_oidc/commit/9f68a716ecd264160a7c098b8840313f1ac855f2
x_refsource_MISC
https://hackerone.com/reports/2376929
x_refsource_MISC
Hyperlink: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vw7g-959g-vj6q
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/nextcloud/user_oidc/commit/9f68a716ecd264160a7c098b8840313f1ac855f2
Resource:
x_refsource_MISC
Hyperlink: https://hackerone.com/reports/2376929
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
Nextcloud GmbHnextcloud
Product
user_oidc
CPEs
  • cpe:2.3:a:nextcloud:user_oidc:-:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 through 1.3.6 (custom)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vw7g-959g-vj6q
x_refsource_CONFIRM
x_transferred
https://github.com/nextcloud/user_oidc/commit/9f68a716ecd264160a7c098b8840313f1ac855f2
x_refsource_MISC
x_transferred
https://hackerone.com/reports/2376929
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vw7g-959g-vj6q
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/nextcloud/user_oidc/commit/9f68a716ecd264160a7c098b8840313f1ac855f2
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://hackerone.com/reports/2376929
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:14 Jun, 2024 | 15:15
Updated At:14 Aug, 2025 | 19:18

user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to 3.0.0 (Nextcloud 20-23), 4.0.0 (Nexcloud 24) or 5.0.0 (Nextcloud 25-28).

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.3MEDIUM
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary3.16.3MEDIUM
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Type: Secondary
Version: 3.1
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Type: Primary
Version: 3.1
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CPE Matches
Nextcloud GmbH
nextcloud
>>user_oidc>>Versions before 5.0.0(exclusive)
cpe:2.3:a:nextcloud:user_oidc:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-284Secondarysecurity-advisories@github.com
NVD-CWE-noinfoPrimarynvd@nist.gov
CWE ID: CWE-284
Type: Secondary
Source: security-advisories@github.com
CWE ID: NVD-CWE-noinfo
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vw7g-959g-vj6qsecurity-advisories@github.com
Vendor Advisory
https://github.com/nextcloud/user_oidc/commit/9f68a716ecd264160a7c098b8840313f1ac855f2security-advisories@github.com
Patch
https://hackerone.com/reports/2376929security-advisories@github.com
Exploit
Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vw7g-959g-vj6qaf854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
https://github.com/nextcloud/user_oidc/commit/9f68a716ecd264160a7c098b8840313f1ac855f2af854a3a-2127-422b-91ae-364da2661108
Patch
https://hackerone.com/reports/2376929af854a3a-2127-422b-91ae-364da2661108
Exploit
Third Party Advisory
Hyperlink: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vw7g-959g-vj6q
Source: security-advisories@github.com
Resource:
Vendor Advisory
Hyperlink: https://github.com/nextcloud/user_oidc/commit/9f68a716ecd264160a7c098b8840313f1ac855f2
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://hackerone.com/reports/2376929
Source: security-advisories@github.com
Resource:
Exploit
Third Party Advisory
Hyperlink: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vw7g-959g-vj6q
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory
Hyperlink: https://github.com/nextcloud/user_oidc/commit/9f68a716ecd264160a7c098b8840313f1ac855f2
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Patch
Hyperlink: https://hackerone.com/reports/2376929
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

56Records found
CVE-2016-9467
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-5.3||MEDIUM
EPSS-1.04% / 76.59%
||
7 Day CHG~0.00%
Published-28 Mar, 2017 | 02:46
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.

Action-Not Available
Vendor-n/aNextcloud GmbHownCloud GmbH
Product-owncloudnextcloud_serverNextcloud Server & ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-451
User Interface (UI) Misrepresentation of Critical Information
CVE-2016-9461
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-4.3||MEDIUM
EPSS-0.76% / 72.34%
||
7 Day CHG~0.00%
Published-28 Mar, 2017 | 02:46
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying edit check permissions on WebDAV copy actions. The WebDAV endpoint was not properly checking the permission on a WebDAV COPY action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files.

Action-Not Available
Vendor-n/aNextcloud GmbHownCloud GmbH
Product-owncloudnextcloud_serverNextcloud Server & ownCloud Server Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-275
Not Available
CVE-2016-9468
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-5.3||MEDIUM
EPSS-0.30% / 52.93%
||
7 Day CHG~0.00%
Published-28 Mar, 2017 | 02:46
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the dav app. The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.

Action-Not Available
Vendor-n/aNextcloud GmbHownCloud GmbH
Product-owncloudnextcloud_serverNextcloud Server & ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-451
User Interface (UI) Misrepresentation of Critical Information
CVE-2025-7075
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.02% / 3.42%
||
7 Day CHG~0.00%
Published-05 Jul, 2025 | 23:32
Updated-08 Jul, 2025 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BlackVue Dashcam 590X HTTP Endpoint upload.cgi unrestricted upload

A vulnerability was found in BlackVue Dashcam 590X up to 20250624. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /upload.cgi of the component HTTP Endpoint. The manipulation leads to unrestricted upload. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-BlackVue
Product-Dashcam 590X
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2025-2350
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.03% / 6.11%
||
7 Day CHG+0.01%
Published-16 Mar, 2025 | 22:00
Updated-17 Mar, 2025 | 16:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IROAD Dash Cam FX2 upload_file unrestricted upload

A vulnerability was found in IROAD Dash Cam FX2 up to 20250308. It has been rated as critical. Affected by this issue is some unknown functionality of the file /action/upload_file. The manipulation leads to unrestricted upload. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-IROAD
Product-Dash Cam FX2
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2025-2121
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.02% / 2.25%
||
7 Day CHG~0.00%
Published-09 Mar, 2025 | 11:00
Updated-22 Jul, 2025 | 14:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Thinkware Car Dashcam F800 Pro File Storage access control

A vulnerability classified as critical has been found in Thinkware Car Dashcam F800 Pro up to 20250226. Affected is an unknown function of the component File Storage. The manipulation leads to improper access controls. The attack can only be done within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-thinkwareThinkware
Product-f800_prof800_pro_firmwareCar Dashcam F800 Pro
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
  • Previous
  • 1
  • 2
  • Next
Details not found