Nextcloud server 12.0.5App password scope can be changed for other users
Edit permission check not enforced on WebDAV COPY action (NC-SA-2016-004)
19th July 2016
Risk level: Medium
CVSS v3 Base Score: 3.1 (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)
HackerOne report: 145950
The WebDAV endpoint was not properly checking the permission on a WebDAV "COPY" action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files.
- Nextcloud Server < 9.0.52 (CVE-2016-9461)
The permission check is now also performed on "COPY" actions,
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:
This advisory is licensed CC BY-SA 4.0.