3rd August 2018
Risk level: High
CVSS v3 Base Score: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
CWE: Improper Authentication - Generic (CWE-287)
HackerOne report: 248656
Improper authentication of the second factor challenge would allow an attacker that had access to user credentials to bypass the second factor validation completely.
The error has been fixed and regression tests are in place.
It is recommended that all instances are upgraded at least to Nextcloud 12.0.3.
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory: