SQL Injection in lookup-server (NC-SA-2019-010)
26th July 2019
Risk level: Low
CVSS v3 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N)
HackerOne report: 508487
Improper sanitation of user input allowed any unauthenticated user to perform SQL injection attacks.
- Nextcloud Lookup-server < 0.3.0 (CVE-2019-5476)
The error has been fixed.
It is recommended that all instances are upgraded to at least version 0.3.0.
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Leon Klingele (firstname.lastname@example.org) - Vulnerability discovery and disclosure.
This advisory is licensed CC BY-SA 4.0.