CVE-2021-32653

LOW

Nextcloud Server <19.0.11, 20.0.10, 21.0.2 - Info Disclosure

Title source: llm

Description

Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 send user IDs to the lookup server even if the user has no fields set to published. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2; no workarounds outside the updates are known to exist.

References (3)

[Third Party Advisory] https://github.com/nextcloud/security-advisories/security/advisories/GHSA-396j-vqpr-qg45

[Permissions Required, Third Party Advisory] https://hackerone.com/reports/1173436

[Third Party Advisory] https://security.gentoo.org/glsa/202208-17

Scores

CVSS v3 2.7

EPSS 0.0038

EPSS Percentile 59.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-201

Status published

Affected Products (1)

nextcloud/nextcloud_server < 19.0.11

Timeline

Published Jun 01, 2021

Tracked Since Feb 18, 2026