{"api_version":"1","generated_at":"2026-04-23T04:21:44+00:00","cve":"CVE-2022-24906","urls":{"html":"https://cve.report/CVE-2022-24906","api":"https://cve.report/api/cve/CVE-2022-24906.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-24906","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-24906"},"summary":{"title":"CVE-2022-24906","description":"Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud, similar to Trello. The full path of the application is exposed to unauthorized users. It is recommended that the Nextcloud Deck app is upgraded to 1.2.11, 1.4.6, or 1.5.4. There is no workaround available.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2022-05-20 16:15:00","updated_at":"2023-07-06 13:36:00"},"problem_types":["CWE-209"],"metrics":[],"references":[{"url":"https://hackerone.com/reports/1354334","name":"https://hackerone.com/reports/1354334","refsource":"MISC","tags":[],"title":"HackerOne","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/nextcloud/deck/pull/3384","name":"https://github.com/nextcloud/deck/pull/3384","refsource":"MISC","tags":[],"title":"Keep exceptions http response generic by juliushaertl · Pull Request #3384 · nextcloud/deck · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hx9w-xfrg-2qvp","name":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hx9w-xfrg-2qvp","refsource":"CONFIRM","tags":[],"title":"Error in deleting deck cards attachment reveals the full application path · Advisory · nextcloud/security-advisories · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-24906","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24906","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"24906","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nextcloud","cpe5":"deck","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2022-24906","STATE":"PUBLIC","TITLE":"Error in deleting deck cards attachment reveals the full application path in Nextcloud Deck"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"security-advisories","version":{"version_data":[{"version_value":"< 1.2.11"},{"version_value":">= 1.4.0, < 1.4.6"},{"version_value":">= 1.5.0, < 1.5.4"}]}}]},"vendor_name":"nextcloud"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud, similar to Trello. The full path of the application is exposed to unauthorized users. It is recommended that the Nextcloud Deck app is upgraded to 1.2.11, 1.4.6, or 1.5.4. There is no workaround available."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.5,"baseSeverity":"LOW","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}]},"references":{"reference_data":[{"name":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hx9w-xfrg-2qvp","refsource":"CONFIRM","url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hx9w-xfrg-2qvp"},{"name":"https://github.com/nextcloud/deck/pull/3384","refsource":"MISC","url":"https://github.com/nextcloud/deck/pull/3384"},{"name":"https://hackerone.com/reports/1354334","refsource":"MISC","url":"https://hackerone.com/reports/1354334"}]},"source":{"advisory":"GHSA-hx9w-xfrg-2qvp","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2022-05-20 16:15:00","lastModifiedDate":"2023-07-06 13:36:00","problem_types":["CWE-209"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:*","versionStartIncluding":"1.5.0","versionEndExcluding":"1.5.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:*","versionStartIncluding":"1.4.0","versionEndExcluding":"1.4.6","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:*","versionEndExcluding":"1.2.11","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"24906","Ordinal":"228242","Title":"CVE-2022-24906","CVE":"CVE-2022-24906","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"24906","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}