Description
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to convert a Files Drop link to a federated share. This causes an issue on the UI side of the sharing user. When the sharing user opens the sharing panel and tries to remove the "Create" privileges of this unexpected share, Nextcloud server would silently grant the share read privileges. The vulnerability is patched in versions 19.0.11, 20.0.10 and 21.0.2. No workarounds are known to exist.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-grph-cm44-p3jv
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1167929
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202208-17
Scores
CVSS v3
3.5
EPSS
0.0035
EPSS Percentile
57.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Details
CWE
CWE-241
Status
published
Products (1)
nextcloud/nextcloud_server
< 19.0.11
Published
Jun 01, 2021
Tracked Since
Feb 18, 2026