Bypass lock protection in Android app (NC-SA-2019-004)
26th July 2019
Risk level: Low
CVSS v3 Base Score: 5.9 (AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
HackerOne report: 490946
Creating a fake multi-account and aborting the process would redirect the user to the default account of the device without asking for the lock pattern if one was set up.
- Nextcloud Android < 3.6.1 (CVE-2019-5455)
The error has been fixed.
It is recommended that users upgrade to version 3.6.1.
This advisory is licensed CC BY-SA 4.0.