CVE-2017-0936

MEDIUM

Nextcloud Server <11.0.7, 12.0.5 - Auth Bypass

Title source: llm

Description

Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorization Bypass Through User-Controlled Key vulnerability. A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user.

References (2)

Core 2

Core References

Third Party Advisory x_refsource_misc

https://hackerone.com/reports/297751

Vendor Advisory x_refsource_confirm

https://nextcloud.com/security/advisory/?id=nc-sa-2018-001

Scores

CVSS v3 5.7

EPSS 0.0014

EPSS Percentile 34.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Details

CWE

CWE-639

Status published

Products (2)

nextcloud/nextcloud_server 12.0.5

nextcloud/nextcloud_server < 11.0.7

Published Mar 28, 2018

Tracked Since Feb 18, 2026