Nextcloud server 12.0.5App password scope can be changed for other users
Denial of Service attack (NC-SA-2017-004)
5th February 2017
Risk level: Low
CVSS v3 Base Score: 5 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L)
HackerOne report: 174524
Due to an error in the application logic an authenticated adversary may trigger an endless recursion in the application leading to a potential Denial of Service.
- Nextcloud Server < 10.0.2 (CVE-2017-0886)
- Nextcloud Server < 9.0.55 (CVE-2017-0886)
The code path leading to the endless recursion is now properly handled.
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:
This advisory is licensed CC BY-SA 4.0.