2 matches found
CVE-2021-32653 Default settings leak federated cloud ID to lookup server of all users
Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 send user IDs to the lookup server even if the user has no fields set to published. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2; no workaroun...
Nextcloud: Default settings leak federated cloud id to lookup server of all users
So with the default settings Nextcloud still sends requests to the lookup server if users update their profile. Even if none of the fields are set to 'published'. I must admit this is somewhat of a surprise as there is no reason for this. As long as the visibility of none of the fields change and...