Improper access control checks for share expiration date (NC-SA-2019-002)
12th April 2019
Risk level: Low
CVSS v3 Base Score: 4.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
HackerOne report: 447494
A missing check could give recipient the possibility to extend the expiration date of a share they received.
- Nextcloud Server < 15.0.0 (CVE-2020-8122)
- Nextcloud Server < 14.0.4 (CVE-2020-8122)
- Nextcloud Server < 13.0.8 (CVE-2020-8122)
- Nextcloud Server < 12.0.13 (CVE-2020-8122)
The error has been fixed.
It is recommended that all instances are upgraded to Nextcloud 15.0.0, Nextcloud 14.0.4, Nextcloud 13.0.8 or 12.0.13.
This advisory is licensed CC BY-SA 4.0.