Summary:
Allows any user access to sensitive deck card contents.
Steps To Reproduce:
- User creates a new “deck” and “stack”.
- Create another user on your Nextcloud instance.
- curl -X GET -H “OCS-APIREQUEST: true” “http://localhost/index.php/apps/deck/api/v1.0/boards/1/stacks/1” -u hacker
As an output you get things like for example {title":“To do”,“cards”:[{“title”:“Example Task 3”,"}
Impact
Allows any user access to sensitive deck card contents.