CVE-2019-15623

Description

Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled.

Related CPE's

a nextcloud nextcloud_server ********

a suse package_hub -*******

a opensuse backports_sle 15.0 sp1 ******

References

https://hackerone.com/reports/508490

ExploitThird Party Advisory

https://nextcloud.com/security/advisory/?id=NC-SA-2019-016

Third Party AdvisoryVendor Advisory

openSUSE-SU-2020:0220

Mailing ListThird Party Advisory

openSUSE-SU-2020:0229

Third Party Advisory

CvssV3 impact

Version	3.1
VectorString	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
AttackVector	NETWORK
AttackComplexity	LOW
PrivilegesRequired	NONE
UserInteraction	NONE
Scope	UNCHANGED
ConfidentialityImpact	LOW
IntegrityImpact	NONE
AvailabilityImpact	NONE
BaseScore	5.3
BaseSeverity	MEDIUM

CvssV2 impact

Version	2.0
VectorString	AV:N/AC:L/Au:N/C:P/I:N/A:N
AccessVector	NETWORK
AccessComplexity	LOW
Authentication	NONE
ConfidentialityImpact	PARTIAL
IntegrityImpact	NONE
AvailabilityImpact	NONE
BaseScore	5

Created by Yello

About Severity.io