Nextcloud server 12.0.5App password scope can be changed for other users
Calendar and addressbook names disclosed (NC-SA-2017-012)
8th May 2017
Risk level: Low
CVSS v3 Base Score: 3.5 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)
HackerOne report: 203594
A logical error caused disclosure of calendar and addressbook names to other logged-in users. Note that no actual content of the calendar and adressbook has been disclosed.
- Nextcloud Server < 11.0.2 (CVE-2017-0895)
- Nextcloud Server < 10.0.4 (CVE-2017-0895)
The error has been fixed and regression tests been added.
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:
This advisory is licensed CC BY-SA 4.0.