SB2020020429 - Multiple vulnerabilities in Nextcloud Server
Published: February 4, 2020 Updated: July 17, 2020
Security Bulletin ID
SB2020020429
Severity
High
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2020-8121)
The vulnerability allows a remote authenticated user to read and manipulate data.
A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer.
2) Input validation error (CVE-ID: CVE-2020-8122)
The vulnerability allows a remote authenticated user to manipulate data.
A missing check in Nextcloud Server 14.0.3 could give recipient the possibility to extend the expiration date of a share they received.
Remediation
Install update from vendor's website.