Description
Nextcloud Android App (com.nextcloud.client) before v3.16.0 is vulnerable to information disclosure due to searches for sharees being performed by default on the lookup server instead of only using the local Nextcloud server unless a global search has been explicitly chosen by the user.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-22v9-q3r6-x7cj
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1167916
Scores
CVSS v3
6.5
EPSS
0.0065
EPSS Percentile
71.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (1)
nextcloud/nextcloud
< 3.16.0
Published
Jun 11, 2021
Tracked Since
Feb 18, 2026