Duplicate setup of second factor allowed (NC-SA-2020-006)
25th October 2019
Risk level: Low
CVSS v3 Base Score: 4.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
HackerOne report: 722748
A missing check in Nextcloud Server 17.0.0 allowed an attacker to set up a new second factor when trying to login.
- Nextcloud Server < 17.0.1 (CVE-2019-15617)
The error has been fixed.
It is recommended that the Nextcloud Server is upgraded to 17.0.1.
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:
This advisory is licensed CC BY-SA 4.0.