Merge pull request #79 from nextcloud-gmbh/sa/882258

2021/007 - Advisory for #882258

1 files changed, 33 insertions, 0 deletions

diff --git a/deck/nc-sa-2021-007.json b/deck/nc-sa-2021-007.json
new file mode 100644
index 0000000..c95d9d1
--- /dev/null
+++ b/deck/nc-sa-2021-007.json
@@ -0,0 +1,33 @@
+{
+   "Title": "New users can read all Nextcloud Deck data from previous user with same username",
+   "Timestamp": 1591178400,
+   "Risk": 1,
+   "CVSS3": {
+      "score": 5.1,
+      "vector": "AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L"
+   },
+   "CWE": {
+      "id": 639,
+      "name": "Insecure Direct Object Reference (IDOR)"
+   },
+   "HackerOne": 882258,
+   "Affected":[
+      {
+         "Version":"1.0.2",
+         "CVE":"CVE-2020-8297",
+         "Operator":"<"
+      }
+   ],
+    "Description":"A logic error in Nextcloud Deck 1.0.1 allowed new users with a duplicate user identifier to use deck data of a previous deleted user.",
+    "ActionTaken": "The error has been fixed.",
+    "Acknowledgment":[
+      {
+         "Name": "Stefan Niedermann",
+         "Mail": "info@niedermann.it",
+         "Website": "https://www.niedermann.it",
+         "Company": "Niedermann IT-Dienstleistungen",
+         "Reason": "Vulnerability discovery and disclosure."
+      }
+   ],
+   "Resolution": "It is recommended that the Nextcloud Deck is upgraded to 1.0.2."
+}