Insecure Direct Object Reference in Nextcloud Deck
CVE-2020-8297

4.3MEDIUM

Key Information:

Vendor

Nextcloud
Status
Nextcloud Deck
Vendor
CVE Published:
23 February 2021

What is CVE-2020-8297?

Nextcloud Deck prior to version 1.0.2 is vulnerable to an insecure direct object reference (IDOR) issue. This vulnerability allows users who possess a duplicate user identifier to gain access to data belonging to previously deleted users, potentially exposing sensitive information. Proper validation and checks should be implemented to prevent unauthorized access and ensure user data integrity.

Affected Version(s)

Nextcloud Deck Fixed in 1.0.2

References

https://hackerone.com/reports/882258
x_refsource_MISC
https://nextcloud.com/security/advisory/?id=NC-SA-2021-007
x_refsource_MISC
https://github.com/nextcloud/deck/pull/1976
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.