Nextcloud: Access control issue -- [Allow file system access not validated when using session auth]

2018-07-30T15:04:38
ID H1:388515
Type hackerone
Reporter born2hack
Modified 2018-09-25T10:38:15

Description

  1. Obtain an App Token
  2. Check that you can access the files with this token and save the cookies
  3. Revoke filesystem access for this token
  4. See that you can still access the files when using the cookies

At step 4 there access to the files should also be forbidden.