Nextcloud: Disclosure of administrators via JSON on nextcloud.com Wordpress

2017-01-13T05:05:26
ID H1:198012
Type hackerone
Reporter rbcafe
Modified 2017-01-13T10:33:54

Description

@rbcafe reported the following issue, since it contains references to internal data we've decided to disclose this issue only limitedly.


Greetings,

Description :

Since the update of the website to wordpress 4.7 the JSON discloses administrators :

POC :

https://nextcloud.com/wp-json/wp/v2/users

Best regards @Rbcafe