Description
Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled.
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/508490
Third Party Advisory, Vendor Advisory x_refsource_misc
https://nextcloud.com/security/advisory/?id=NC-SA-2019-016
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00019.html
Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00022.html
Scores
CVSS v3
5.3
EPSS
0.0188
EPSS Percentile
76.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-359
Status
published
Products (3)
nextcloud/nextcloud_server
< 14.0.13
opensuse/backports_sle
15.0 sp1
suse/package_hub
Published
Feb 04, 2020
Tracked Since
Feb 18, 2026