Vulnerability Description
Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud. In versions prior to 1.4.8, 1.5.6, and 1.6.1, an authenticated user can move stacks with cards from their own board to a board of another user. The Nextcloud Deck app contains a patch for this issue in versions 1.4.8, 1.5.6, and 1.6.1. There are no known currently-known workarounds available.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Deck | < 1.4.8 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/deck/pull/3541Issue TrackingPatchThird Party Advisory
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vqhf-6ExploitIssue TrackingThird Party Advisory
- https://hackerone.com/reports/1450117ExploitIssue TrackingThird Party Advisory
- https://github.com/nextcloud/deck/pull/3541Issue TrackingPatchThird Party Advisory
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vqhf-6ExploitIssue TrackingThird Party Advisory
- https://hackerone.com/reports/1450117ExploitIssue TrackingThird Party Advisory
FAQ
What is CVE-2022-29159?
CVE-2022-29159 is a vulnerability with a CVSS score of 5.0 (MEDIUM). Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud. In versions prior to 1.4.8, 1.5.6, and 1.6.1, an authenticated user can move stacks with cards from their own board t...
How severe is CVE-2022-29159?
CVE-2022-29159 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-29159?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Deck.