CVE-2020-8154

Published: May 12, 2020Modified: Nov 21, 2024

7.7

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Exploitability: 3.1 / Impact: 4.0

Source: NVD

Description

An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint.

Affected (2)

Products: Nextcloud: Nextcloud Server

Nextcloud

1 product

Nextcloud Server

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Nextcloud Nextcloud Server	Before 17.0.5
Nextcloud Nextcloud Server	From 18.0.0 to 18.0.3

Related CWEs

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (14)

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00037.html

Source: support@hackerone.com

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00038.html

Source: support@hackerone.com

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00040.html

Source: support@hackerone.com

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html

Source: support@hackerone.com

https://hackerone.com/reports/819807

Source: support@hackerone.com

ExploitThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KC6HLX5SG4PZO6Y54D2LFJ4ATG76BKOP/

Source: support@hackerone.com

https://nextcloud.com/security/advisory/?id=NC-SA-2020-018

Source: support@hackerone.com

Vendor Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00037.html