7th February 2018
Risk level: Low
CVSS v3 Base Score: 3.5 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L)
CWE: Authorization Bypass Through User-Controlled Key (CWE-639)
HackerOne report: 297751
A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user.
The error has been fixed and regression tests been added.
It is recommended that all instances are upgraded to Nextcloud 12.0.5.
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory: