Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneMikaelgundersenH1:1675014
HistoryAug 19, 2022 - 7:36 p.m.

Nextcloud: Profile of disabled user stays accessible

2022-08-1919:36:52
mikaelgundersen
hackerone.com
$100
13
nextcloud
user profile
accessibility
data exposure
bug bounty

EPSS

0.001

Percentile

30.8%

JSON

Userprofiles of disabled users keep staying accessible. on DOMAIN/u/USERID
This is quite undesirable as this user has no way to clear or modify this data in case they do not want it exposed anymore.
I’d assume profiles of disabled users would not be visible to ensure they can always be in control of their own data.

Impact

exposure of user info that they can’t control anymore.

Related

nvd 1
cvelist 1
osv 1
prion 1
nextcloud 1
cve 1
openvas 1
nvd
nvd
CVE-2022-39329
2022-10-27 14:15:11
cvelist
cvelist
CVE-2022-39329 Profile of disabled user stays accessible
2022-10-27 00:00:00
osv
osv
CVE-2022-39329
2022-10-27 14:15:11
prion
prion
Code injection
2022-10-27 14:15:00
nextcloud
nextcloud
Profile of disabled user stays accessible
2022-10-27 06:53:08
cve
cve
CVE-2022-39329
2022-10-27 14:15:11
openvas
openvas
Nextcloud Server < 23.0.9, < 24.0.5 Multiple Information Disclosure Vulnerabilities (GHSA-8f3p-rcm5-mrg3, GHSA-qpf5-jj85-36h5)
2022-10-31 00:00:00

EPSS

0.001

Percentile

30.8%

JSON
Related for H1:1675014
nvd1cvelist1osv1prion1nextcloud1cve1openvas1