You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Notes app can be tricked into using a received share created before the user logged in
Moderate
nickvergessen
published
GHSA-wfqv-cx85-7rjxJun 14, 2024
Package
Notes
(Nextcloud)
Affected versions
>= 4.6.0
Patched versions
4.9.3
Description
Impact
If an attacker managed to share a folder called Notes/ with a newly created user before they logged in, the Notes app would use that folder store the personal notes.
Patches
It is recommended that the Nextcloud Notes app is upgraded to 4.9.3
Impact
If an attacker managed to share a folder called
Notes/
with a newly created user before they logged in, the Notes app would use that folder store the personal notes.Patches
It is recommended that the Nextcloud Notes app is upgraded to 4.9.3
Workarounds
References
For more information
If you have any questions or comments about this advisory: