Lucene search
Michag86H1:673724HistoryAug 14, 2019 - 3:46 p.m.
Nextcloud: Circle email-members have still access to a shared folder/file after they are removed from the circle
2019-08-1415:46:23
michag86
hackerone.com
$200
15
EPSS
0.001
Percentile
22.7%
If a email-address is added to a circle, the email user has still access after the email-address is removed from the circle.
Requirements
circles app and share by mail app enabled
Steps to reproduce
- add an email address to a circle
- share a folder/file with the circle
- remove the email address from the circle
- try to access the link that is sent to the email address
email user has still access!
Additional information
For every circle share is a non user specific link token created. this token is sent to the email-members.
An other problem is, that if you have forced password usage for link shares and share by mail shares, this link is still accessible without a password.
Tested with:
Nextcloud 15.0.10
Circles 0.16.9
share by mail 1.5.0
Impact
A email-member that is removed from a circle
Related
cvelist
cvelist
CVE-2019-15610
2020-02-04 19:08:57
nextcloud
nextcloud
osv
osv
CVE-2019-15610
2020-02-04 20:15:11
nvd
nvd
CVE-2019-15610
2020-02-04 20:15:11
prion
prion
Authorization
2020-02-04 20:15:00
cve
cve
CVE-2019-15610
2020-02-04 20:15:11