Vulnerabilities > CVE-2020-8154 - Authorization Bypass Through User-Controlled Key vulnerability in Nextcloud Server
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
| NASL family | SuSE Local Security Checks |
| NASL id | OPENSUSE-2020-670.NASL |
| description | This update for nextcloud to 18.0.4 fixes the following issues : Security issues fixed : - CVE-2020-8154: Fixed an XSS vulnerability when opening malicious PDFs (NC-SA-2020-018 boo#1171579). - CVE-2020-8155: Fixed a direct object reference vulnerability that allowed attackers to remotely wipe devices of other users (NC-SA-2020-019 boo#1171572). |
| last seen | 2020-05-31 |
| modified | 2020-05-26 |
| plugin id | 136872 |
| published | 2020-05-26 |
| reporter | This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
| source | https://www.tenable.com/plugins/nessus/136872 |
| title | openSUSE Security Update : nextcloud (openSUSE-2020-670) |
References
- https://nextcloud.com/security/advisory/?id=NC-SA-2020-018
- https://hackerone.com/reports/819807
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00037.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KC6HLX5SG4PZO6Y54D2LFJ4ATG76BKOP/