Nextcloud server 12.0.5App password scope can be changed for other users
Error message discloses existence of file in write-only share (NC-SA-2017-003)
5th February 2017
Risk level: Low
CVSS v3 Base Score: 3.7 (AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L)
HackerOne report: 174524
Due to an error in the application logic an adversary with access to a write-only share may enumerate the names of existing files and subfolders by comparing the exception messages.
- Nextcloud Server < 10.0.2 (CVE-2017-0885)
- Nextcloud Server < 9.0.55 (CVE-2017-0885)
The error in the application logic has been addressed.
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:
This advisory is licensed CC BY-SA 4.0.