Description
Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 send user IDs to the lookup server even if the user has no fields set to published. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2; no workarounds outside the updates are known to exist.
Related CPE's
a
nextcloud
nextcloud_server
3
References
https://hackerone.com/reports/1173436
Permissions RequiredThird Party Advisory
https://security.gentoo.org/glsa/202208-17
Third Party Advisory
CVSS impact metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
2.7 · Low
CVSS V3.1
CVSS V3.0
CVSS V2.0
Information
Source identifier
Vulnerability status
Analyzed
Published
2021-06-01T20:15:08.517
3 years agoLast modified
2022-10-26T14:09:34.487
2 years ago