Advisory for #827816

Signed-off-by: Joas Schilling <coding@schilljs.com>
author: Joas Schilling <coding@schilljs.com> 2020-06-08 18:28:23 +0300
committer: Joas Schilling <coding@schilljs.com> 2020-06-08 18:28:23 +0300
commit: b3cd301ccb5af26eb8469b8e9c3adb72f510bfa4 (patch)
tree: 43db90ff0b21cc1fb73f16a4b20179278fcf2971 /deck
parent: f17b28abd786e457f5243ee3c7e978cf7f6baa67 (diff)
1 files changed, 32 insertions, 0 deletions
diff --git a/deck/nc-sa-2020-025.json b/deck/nc-sa-2020-025.json
new file mode 100644
index 0000000..11a003f
--- /dev/null
+++ b/deck/nc-sa-2020-025.json
@@ -0,0 +1,32 @@
+{
+   "Title": "Missing permission check on resharing a board",
+   "Timestamp": 1586347200,
+   "Risk": 1,
+   "CVSS3": {
+      "score": 7.3,
+      "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H"
+   },
+   "CWE": {
+      "id": 284,
+      "name": "Improper Access Control - Generic"
+   },
+   "HackerOne": 827816,
+   "Affected":[
+      {
+         "Version":"0.8.1",
+         "CVE":"CVE-2020-8182",
+         "Operator":"<"
+      }
+   ],
+   "Description":"Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permissions than they had themselves.",
+   "ActionTaken": "The error has been fixed.",
+   "Acknowledgment":[
+      {
+         "Name": "Silvia Väli",
+         "Mail": "silvia@clarifiedsecurity.com",
+         "Website": "https://www.clarifiedsecurity.com/silvia-vali/",
+         "Reason": "Vulnerability discovery and disclosure."
+      }
+   ],
+   "Resolution": "It is recommended that the Nextcloud Deck is upgraded to 0.8.1."
+}
author	Joas Schilling <coding@schilljs.com>	2020-06-08 18:28:23 +0300
committer	Joas Schilling <coding@schilljs.com>	2020-06-08 18:28:23 +0300
commit	b3cd301ccb5af26eb8469b8e9c3adb72f510bfa4 (patch)
tree	43db90ff0b21cc1fb73f16a4b20179278fcf2971 /deck
parent	f17b28abd786e457f5243ee3c7e978cf7f6baa67 (diff)