CVE-2021-37630 Information

Description

Nextcloud Circles is an open source social network built for the nextcloud ecosystem. In affected versions the Nextcloud Circles application allowed any user to join any \Secret Circle\ without approval by the Circle owner leaking private information. It is recommended that Nextcloud Circles is upgraded to 0.19.15 0.20.11 or 0.21.4. There are no workarounds for this issue.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Reference

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-56j9-3rj4-wvgm https://github.com/nextcloud/circles/pull/768 https://hackerone.com/reports/1257624

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

6.5