CVE-2021-32653
LOWNextcloud Server <19.0.11, 20.0.10, 21.0.2 - Info Disclosure
Title source: llmDescription
Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 send user IDs to the lookup server even if the user has no fields set to published. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2; no workarounds outside the updates are known to exist.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-396j-vqpr-qg45
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1173436
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202208-17
Scores
CVSS v3
2.7
EPSS
0.0038
EPSS Percentile
59.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-201
Status
published
Products (1)
nextcloud/nextcloud_server
< 19.0.11
Published
Jun 01, 2021
Tracked Since
Feb 18, 2026