{"id":"CVE-2024-37314","summary":"Nextcloud Photos' shared albums have no restriction on photo removal","details":"Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2.","aliases":["GHSA-9chh-5prm-wp43"],"modified":"2026-04-02T12:21:05.739400Z","published":"2024-06-14T15:05:48.284Z","database_specific":{"cwe_ids":["CWE-284"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/37xxx/CVE-2024-37314.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://hackerone.com/reports/1946298"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/37xxx/CVE-2024-37314.json"},{"type":"ADVISORY","url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9chh-5prm-wp43"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37314"},{"type":"FIX","url":"https://github.com/nextcloud/photos/pull/1749"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nextcloud/photos","events":[{"introduced":"73a7196d45713c43ec59902e302ed9ead171f37f"},{"fixed":"12685bc42d5d2d169e2444e5f7388f85cb9c640a"}],"database_specific":{"versions":[{"introduced":"25.0.1"},{"fixed":"25.0.7"}]}},{"type":"GIT","repo":"https://github.com/nextcloud/photos","events":[{"introduced":"48ce38f3f0cbaa0381fe35e52781fc32181c77e6"},{"fixed":"1b8874478180b55121cb65e3e1de3022701ed712"}],"database_specific":{"versions":[{"introduced":"26.0.0"},{"fixed":"26.0.2"}]}}],"versions":["v25.0.1","v25.0.2","v25.0.2rc1","v25.0.2rc2","v25.0.2rc3","v25.0.3","v25.0.3rc1","v25.0.3rc2","v25.0.4","v25.0.4rc1","v25.0.5","v25.0.5rc1","v25.0.6","v25.0.6rc1","v25.0.7rc1","v26.0.0","v26.0.1","v26.0.1rc1","v26.0.2rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-37314.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/nextcloud/server","events":[{"introduced":"20ea9a25353129b56d46951fe7d23939665ab2b2"},{"fixed":"f14c1100ecae34309931be4c51c8d82296ad17d2"},{"introduced":"62cfd3b4c9ff4d8cdbbe6dcc8b63a1085bb94e3d"},{"fixed":"053cefa373ab62edce8bb69fcfc0d6a5ee6fc3f9"}],"database_specific":{"versions":[{"introduced":"25.0.0"},{"fixed":"25.0.7"},{"introduced":"26.0.0"},{"fixed":"26.0.2"}]}}],"versions":["v25.0.0","v25.0.1","v25.0.1rc1","v25.0.2","v25.0.2rc1","v25.0.2rc2","v25.0.2rc3","v25.0.3","v25.0.3rc1","v25.0.3rc2","v25.0.4","v25.0.4rc1","v25.0.5","v25.0.5rc1","v25.0.6","v25.0.6rc1","v25.0.7rc1","v26.0.0","v26.0.1","v26.0.1rc1","v26.0.2rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-37314.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L"}]}