#Limitation of app specific password scope can be bypassed (NC-SA-2017-009)
Risk level: Low**CVSS v3 Base Score:**3 (AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N)CWE: Improper Authorization (CWE-285)
#Description
Improper session handling allowed an application specific password without permission to the files access to the users file.
#Affected Software
#Action Taken
The permission check has been corrected and reviewed.
#Acknowledgements
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory: