Description

Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled.

Related CPE's

a

nextcloud

nextcloud_server

3

a

opensuse

backports_sle

15.0

sp1

Vulnerable

a

suse

package_hub

-

Vulnerable

References

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00019.html

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00022.html

Third Party Advisory

https://hackerone.com/reports/508490

ExploitThird Party Advisory

https://nextcloud.com/security/advisory/?id=NC-SA-2019-016

Third Party AdvisoryVendor Advisory

Weaknesses

[email protected]

Primary
NVD-CWE-noinfo

[email protected]

Secondary
CWE-359

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.3 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2020-02-04T20:15:12.667

5 years ago

Last modified

2021-10-29T16:22:59.887

3 years ago