// For flags

CVE-2017-0936

 

Severity Score

5.7
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorization Bypass Through User-Controlled Key vulnerability. A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user.

Nextcloud Server en versiones anteriores a la 11.0.7 y versiones 12.0.5 contiene una vulnerabilidad de omisión de autorización mediante una clave controlada por el usuario. La falta de una verificación de propiedad permitía a los usuarios con sesión iniciada modificar el alcance de las contraseñas de la aplicación de otros usuarios. Hay que tener en cuenta que las contraseñas de app no se revelaban de por sí y que el error no se puede utilizar para identificarse como otro usuario.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
Single
Confidentiality
None
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-11-30 CVE Reserved
  • 2018-03-28 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-09-16 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-639: Authorization Bypass Through User-Controlled Key
CAPEC
References (2)
URL Tag Source
https://hackerone.com/reports/297751 Third Party Advisory
URL Date SRC
URL Date SRC
URL Date SRC
https://nextcloud.com/security/advisory/?id=nc-sa-2018-001 2019-10-09
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Nextcloud
Search vendor "Nextcloud"
 Nextcloud Server
Search vendor "Nextcloud" for product "Nextcloud Server"
 < 11.0.7
Search vendor "Nextcloud" for product "Nextcloud Server" and version " < 11.0.7"
-
Affected
Nextcloud
Search vendor "Nextcloud"
 Nextcloud Server
Search vendor "Nextcloud" for product "Nextcloud Server"
 12.0.5
Search vendor "Nextcloud" for product "Nextcloud Server" and version "12.0.5"
-
Affected