Main Vulnerability Database Vulnerabilities #VU31187

Improper Check for Dropped Privileges in Nextcloud Server - CVE-2018-16466

Published: October 30, 2018 / Updated: July 17, 2020

Vulnerability identifier: #VU31187

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2018-16466

CWE-ID: CWE-273

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Nextcloud

Affected software:
Nextcloud Server

Detailed vulnerability description

The vulnerability allows a remote authenticated user to read and manipulate data.

Improper revalidation of permissions in Nextcloud Server prior to 14.0.0, 13.0.6 and 12.0.11 lead to not accepting access restrictions by acess tokens.

How to mitigate CVE-2018-16466

Install update from vendor's website.

Sources

https://hackerone.com/reports/388515
https://nextcloud.com/security/advisory/?id=NC-SA-2018-010

Improper Check for Dropped Privileges in Nextcloud Server - CVE-2018-16466

Detailed vulnerability description

How to mitigate CVE-2018-16466

Sources

Please verify you're human