CVE-2021-37628 Information

Description

Nextcloud Richdocuments is an open source collaborative office suite. In affected versions the File Drop features (�pload Only\ public link shares in Nextcloud) can be bypassed using the Nextcloud Richdocuments app. An attacker was able to read arbitrary files in such a share. It is recommended that the Nextcloud Richdocuments is upgraded to 3.8.4 or 4.2.1. If upgrading is not possible then it is recommended to disable the Richdocuments application.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pxhh-954f-8w7w https://hackerone.com/reports/1253403 https://github.com/nextcloud/richdocuments/pull/1664

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

7.5