{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "0"
              },
              {
                "fixed": "1.2.11"
              }
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "f05a1c5dadd9044237a5d3f3e70526e9f6d43477"
            }
          ],
          "repo": "https://github.com/nextcloud/deck",
          "type": "GIT"
        },
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "1.4.0"
              },
              {
                "fixed": "1.4.6"
              }
            ]
          },
          "events": [
            {
              "introduced": "0cd1d8c1485406760a980ae62632ca4f2b60079e"
            },
            {
              "fixed": "ca22b0ad2c646e9a0124d432c2d5da1d9b855cd1"
            }
          ],
          "repo": "https://github.com/nextcloud/deck",
          "type": "GIT"
        },
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "1.5.0"
              },
              {
                "fixed": "1.5.4"
              }
            ]
          },
          "events": [
            {
              "introduced": "45a10f084043d311aee8b2e089f357e7637e39dc"
            },
            {
              "fixed": "35515ce157c8f493908256914e763becc6c837d0"
            }
          ],
          "repo": "https://github.com/nextcloud/deck",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-hx9w-xfrg-2qvp"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-200"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24906.json"
  },
  "details": "Nextcloud Deck is a Kanban-style project \u0026 personal management tool for Nextcloud, similar to Trello. The full path of the application is exposed to unauthorized users. It is recommended that the Nextcloud Deck app is upgraded to 1.2.11, 1.4.6, or 1.5.4. There is no workaround available.",
  "id": "CVE-2022-24906",
  "modified": "2026-04-01T23:10:01.307308821Z",
  "published": "2022-05-20T15:40:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1354334"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24906.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hx9w-xfrg-2qvp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24906"
    },
    {
      "type": "FIX",
      "url": "https://github.com/nextcloud/deck/pull/3384"
    }
  ],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Error in deleting deck cards attachment reveals the full application path in Nextcloud Deck"
}