Lucene search
LukasreschkeH1:218876HistoryApr 05, 2017 - 8:42 p.m.
Nextcloud: Share tokens for public calendars disclosed (NC-SA-2017-011)
2017-04-0520:42:06
lukasreschke
hackerone.com
36
EPSS
0.001
Percentile
33.0%
#Share tokens for public calendars disclosed (NC-SA-2017-011)
Risk level: Medium**CVSS v3 Base Score:**4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)CWE: Information Exposure Through Directory Listing (CWE-548)
#Description
A logical error caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token.
#Affected Software
- Nextcloud Server < 11.0.3 (CVE-2017-0894)
#Action Taken
The error has been fixed and regression tests been added.
#Acknowledgements
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke - Nextcloud GmbH ([email protected]) - Vulnerability discovery and disclosure.
Related
prion
prion
Design/Logic Flaw
2017-05-08 20:29:00
osv
osv
CVE-2017-0894
2017-05-08 20:29:00
nextcloud
nextcloud
Share tokens for public calendars disclosed (NC-SA-2017-011)
2017-05-08 00:00:00
cvelist
cvelist
CVE-2017-0894
2017-05-08 20:00:00
cve
cve
CVE-2017-0894
2017-05-08 20:29:00
nvd
nvd
CVE-2017-0894
2017-05-08 20:29:00
openvas
openvas
Nextcloud Multiple Vulnerabilities-01 (May 2017) - Linux
2017-05-30 00:00:00