CVE-2021-37631

Circle can be accessed by non-Circle members in Nextcloud Deck

Description

Deck is an open source kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. In affected versions the Deck application didn't properly check membership of users in a Circle. This allowed other users in the instance to gain access to boards that have been shared with a Circle, even if the user was not a member of the circle. It is recommended that Nextcloud Deck is upgraded to 1.5.1, 1.4.4 or 1.2.9. If you are unable to update it is advised to disable the Deck plugin.

Category

6.5
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.29%
Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory hackerone.com Third-Party Advisory hackerone.com
Affected: nextcloud security-advisories
Published at:
Updated at:

References

Link Tags
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4mxp-j277-82hr third party advisory
https://github.com/nextcloud/deck/pull/3217 third party advisory patch
https://hackerone.com/reports/1256021 third party advisory permissions required
https://hackerone.com/reports/1280931 third party advisory permissions required

Frequently Asked Questions

What is the severity of CVE-2021-37631?
CVE-2021-37631 has been scored as a medium severity vulnerability.
How to fix CVE-2021-37631?
To fix CVE-2021-37631, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-37631 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-37631 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-37631?
CVE-2021-37631 affects nextcloud security-advisories.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.