diff options
author | Joas Schilling <213943+nickvergessen@users.noreply.github.com> | 2021-03-01 13:57:04 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-03-01 13:57:04 +0300 |
commit | 549faa0b4d8d87747226afe663fabc15e4de64f9 (patch) | |
tree | 1f07ba912fee5c7796e50cd23a19283977b569cc | |
parent | f6e9aa7f8dabe8a6e1fbcd5bb3dad78e197c22ba (diff) | |
parent | 12346f21a56089d0abfd160e45eac8cbf94ddae5 (diff) |
Merge pull request #79 from nextcloud-gmbh/sa/882258
2021/007 - Advisory for #882258
-rw-r--r-- | deck/nc-sa-2021-007.json | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/deck/nc-sa-2021-007.json b/deck/nc-sa-2021-007.json new file mode 100644 index 0000000..c95d9d1 --- /dev/null +++ b/deck/nc-sa-2021-007.json @@ -0,0 +1,33 @@ +{ + "Title": "New users can read all Nextcloud Deck data from previous user with same username", + "Timestamp": 1591178400, + "Risk": 1, + "CVSS3": { + "score": 5.1, + "vector": "AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L" + }, + "CWE": { + "id": 639, + "name": "Insecure Direct Object Reference (IDOR)" + }, + "HackerOne": 882258, + "Affected":[ + { + "Version":"1.0.2", + "CVE":"CVE-2020-8297", + "Operator":"<" + } + ], + "Description":"A logic error in Nextcloud Deck 1.0.1 allowed new users with a duplicate user identifier to use deck data of a previous deleted user.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Stefan Niedermann", + "Mail": "info@niedermann.it", + "Website": "https://www.niedermann.it", + "Company": "Niedermann IT-Dienstleistungen", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Deck is upgraded to 1.0.2." +} |