Back to search
CVE-2017-0936
Published: Mar 28, 2018
Modified: Sep 16, 2024
PUBLISHED
Description
Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorization Bypass Through User-Controlled Key vulnerability. A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user.
| Vendor | Product | Versions |
|---|---|---|
Nextcloud | Nextcloud Server | affected before 11.0.7 and 12.0.5 |
Weaknesses (CWE)
References
https://hackerone.com/reports/297751
x_refsource_MISC
https://nextcloud.com/security/advisory/?id=nc-sa-2018-001
x_refsource_CONFIRM
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now