Description
A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless WebAuthn is also a two factor verification by asking for the PIN of the passwordless WebAuthn but not verifying it.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/924393
Broken Link, Vendor Advisory x_refsource_misc
https://nextcloud.com/security/advisory/?id=NC-SA-2020-037
Scores
CVSS v3
6.8
EPSS
0.0008
EPSS Percentile
23.8%
Attack Vector
PHYSICAL
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (1)
nextcloud/nextcloud_server
< 19.0.2
Published
Nov 02, 2020
Tracked Since
Feb 18, 2026