Nextcloud server 12.0.5App password scope can be changed for other users
Content-Spoofing in "dav" app (NC-SA-2016-011)
10th October 2016
Risk level: Low
CVSS v3 Base Score: 3.1 (AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)
HackerOne report: 149798
The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.
- Nextcloud Server < 10.0.1 (CVE-2016-9468)
- Nextcloud Server < 9.0.54 (CVE-2016-9468)
The user-controlled content has been removed from the exception message.
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:
This advisory is licensed CC BY-SA 4.0.