#VU35649 Improper Authentication in nextcloud - CVE-2019-5455


| Updated: 2020-08-08

Vulnerability identifier: #VU35649

Vulnerability risk: Medium

CVSSv4.0: 4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-5455

CWE-ID: CWE-287

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
nextcloud
Other software / Other software solutions

Vendor: Nextcloud

Description

The vulnerability allows a local non-authenticated attacker to execute arbitrary code.

Bypassing lock protection exists in Nextcloud Android app 3.6.0 when creating a multi-account and aborting the process.

Mitigation
Install update from vendor's website.

Vulnerable software versions

nextcloud: 3.6.0

External links
https://hackerone.com/reports/490946

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Improper Authentication in nextcloud