Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneRtodH1:1181962
HistoryMay 01, 2021 - 2:18 p.m.

Nextcloud: Session fixation on public talk links

2021-05-0114:18:01
rtod
hackerone.com
$100
5
nextcloud
session fixation
public talk links
user session
attacker
cookies
bug bounty

EPSS

0.001

Percentile

27.0%

JSON
  1. userA shares a talk room and protects it with a password
  2. userB opens links but doesn’t enter the password yet
  3. Attacker steals the cookies from userB
  4. userB logs in
  5. attacker is now also able to read the conversation etc

Impact

In short the attacker is able to take over the session of the guest userB on this talk room.

The session id should be renewed once the password is entered.

Related

nextcloud 1
cve 1
osv 1
cvelist 1
prion 1
nvd 1
nextcloud
nextcloud
Session Fixation in Nextcloud Talk
2021-06-15 20:52:46
cve
cve
CVE-2021-32676
2021-06-16 00:15:07
osv
osv
CVE-2021-32676
2021-06-16 00:15:07
cvelist
cvelist
CVE-2021-32676 Session Fixation in Nextcloud Talk
2021-06-16 00:05:10
prion
prion
Code injection
2021-06-16 00:15:00
nvd
nvd
CVE-2021-32676
2021-06-16 00:15:07

EPSS

0.001

Percentile

27.0%

JSON
Related for H1:1181962
nextcloud1cve1osv1cvelist1prion1nvd1