Nextcloud: Github wikis are editable by anyone

ID H1:457032
Type hackerone
Reporter c0rv4x
Modified 2018-12-07T18:11:16


Github wikis on the following projects

can be edited by any logged in user in the system. This poses security and reputation risk for the company.



As wikis listed above can be edited by any person on the internet, a malicious actor can accurately craft a message or a note which would lead a user to download a malicious component in a natural way.

For example: Please note that the current version is not stable due to the following line: informat_note_send.c:4562 To ensure that the program won't crush in production, please consider installing this patch In case of any following troubles, drop us an email at

The user would surely trust the code (of course if he trusts the company itself), so he will extrapolate this trust to the wiki and consider it being safe enough to follow the instructions and downloading himself a malware.