Lucene search
MakosdelH1:191979HistoryDec 17, 2016 - 4:38 p.m.
Nextcloud: Limitation of app specific password scope can be bypassed (NC-SA-2017-009)
2016-12-1716:38:49
makosdel
hackerone.com
$300
75
EPSS
0.001
Percentile
21.7%
#Limitation of app specific password scope can be bypassed (NC-SA-2017-009)
Risk level: Low**CVSS v3 Base Score:**3 (AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N)CWE: Improper Authorization (CWE-285)
#Description
Improper session handling allowed an application specific password without permission to the files access to the users file.
#Affected Software
- Nextcloud Server < 11.0.3 (CVE-2017-0892)
#Action Taken
The permission check has been corrected and reviewed.
#Acknowledgements
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Mmakosdel - Vulnerability discovery and disclosure.
Related
nvd
nvd
CVE-2017-0892
2017-05-08 20:29:00
cve
cve
CVE-2017-0892
2017-05-08 20:29:00
osv
osv
CVE-2017-0892
2017-05-08 20:29:00
cvelist
cvelist
CVE-2017-0892
2017-05-08 20:00:00
prion
prion
Design/Logic Flaw
2017-05-08 20:29:00
nextcloud
nextcloud
Limitation of app specific password scope can be bypassed (NC-SA-2017-009)
2017-05-08 00:00:00
openvas
openvas
Nextcloud Multiple Vulnerabilities-01 (May 2017) - Linux
2017-05-30 00:00:00