CVE-2020-8154

Description

An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint.

Related CPE's

anextcloudnextcloud_server********

anextcloudnextcloud_server********

References

https://nextcloud.com/security/advisory/?id=NC-SA-2020-018

Vendor Advisory

https://hackerone.com/reports/819807

ExploitThird Party Advisory

openSUSE-SU-2020:0667

openSUSE-SU-2020:0668

openSUSE-SU-2020:0670

openSUSE-SU-2020:1652

FEDORA-2020-c9863904de

CvssV3 impact

Version

3.1

VectorString

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

AttackVector

NETWORK

AttackComplexity

LOW

PrivilegesRequired

LOW

UserInteraction

NONE

Scope

CHANGED

ConfidentialityImpact

NONE

IntegrityImpact

NONE

AvailabilityImpact

HIGH

BaseScore

7.7

BaseSeverity

HIGH

CvssV2 impact

Version

2.0

VectorString

AV:N/AC:L/Au:S/C:N/I:N/A:C

AccessVector

NETWORK

AccessComplexity

LOW

Authentication

SINGLE

ConfidentialityImpact

NONE

IntegrityImpact

NONE

AvailabilityImpact

COMPLETE

BaseScore

6.800000190734863

Created by Yello
About Severity.io