CVE-2017-0895
published 2017-05-08CVE-2017-0895: Nextcloud Server before 10.0.4 and 11.0.2 are vulnerable to disclosure of calendar and addressbook names to other logged-in users. Note that no actual content…
PriorityP412low3.5CVSS 3.0
AVNACLPRLUIRSUCLINAN
EPSS
0.72%
49.5th percentile
Nextcloud Server before 10.0.4 and 11.0.2 are vulnerable to disclosure of calendar and addressbook names to other logged-in users. Note that no actual content of the calendar and addressbook has been disclosed.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nextcloud | nextcloud_server | — | — |
| nextcloud | nextcloud_server | >= 10.0.0 < 10.0.4 | 10.0.4 |
| nextcloud | nextcloud_server | >= 11.0.0 < 11.0.2 | 11.0.2 |
CVSS provenance
nvdv3.03.5LOWCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-0890 CVE-2017-0891 CVE-2017-0892 CVE-2017-0893 CVE-2017-0894 CVE-2017-0895 owncloud: nextcloud: Multiple security issues [epel-7]
bugzilla·2017-05-16·CVSS 5.4
CVE-2017-0890 [MEDIUM] CVE-2017-0890 CVE-2017-0891 CVE-2017-0892 CVE-2017-0893 CVE-2017-0894 CVE-2017-0895 owncloud: nextcloud: Multiple security issues [epel-7]
CVE-2017-0890 CVE-2017-0891 CVE-2017-0892 CVE-2017-0893 CVE-2017-0894 CVE-2017-0895 owncloud: nextcloud: Multiple security issues [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit messa
Bugzilla
CVE-2017-0890 CVE-2017-0891 CVE-2017-0892 CVE-2017-0893 CVE-2017-0894 CVE-2017-0895 owncloud: nextcloud: Multiple security issues [fedora-all]
bugzilla·2017-05-16·CVSS 5.4
CVE-2017-0890 [MEDIUM] CVE-2017-0890 CVE-2017-0891 CVE-2017-0892 CVE-2017-0893 CVE-2017-0894 CVE-2017-0895 owncloud: nextcloud: Multiple security issues [fedora-all]
CVE-2017-0890 CVE-2017-0891 CVE-2017-0892 CVE-2017-0893 CVE-2017-0894 CVE-2017-0895 owncloud: nextcloud: Multiple security issues [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg comm
Bugzilla
CVE-2017-0890 CVE-2017-0891 CVE-2017-0892 CVE-2017-0893 CVE-2017-0894 CVE-2017-0895 nextcloud: Multiple security issues [fedora-all]
bugzilla·2017-05-09·CVSS 5.4
CVE-2017-0890 [MEDIUM] CVE-2017-0890 CVE-2017-0891 CVE-2017-0892 CVE-2017-0893 CVE-2017-0894 CVE-2017-0895 nextcloud: Multiple security issues [fedora-all]
CVE-2017-0890 CVE-2017-0891 CVE-2017-0892 CVE-2017-0893 CVE-2017-0894 CVE-2017-0895 nextcloud: Multiple security issues [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message
Bugzilla
CVE-2017-0890 CVE-2017-0891 CVE-2017-0892 CVE-2017-0893 CVE-2017-0894 CVE-2017-0895 nextcloud: Multiple security issues [epel-7]
bugzilla·2017-05-09·CVSS 5.4
CVE-2017-0890 [MEDIUM] CVE-2017-0890 CVE-2017-0891 CVE-2017-0892 CVE-2017-0893 CVE-2017-0894 CVE-2017-0895 nextcloud: Multiple security issues [epel-7]
CVE-2017-0890 CVE-2017-0891 CVE-2017-0892 CVE-2017-0893 CVE-2017-0894 CVE-2017-0895 nextcloud: Multiple security issues [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Disc
Bugzilla
CVE-2017-0890 CVE-2017-0891 CVE-2017-0892 CVE-2017-0893 CVE-2017-0894 CVE-2017-0895 nextcloud: Multiple security issues
bugzilla·2017-05-09·CVSS 5.4
CVE-2017-0890 [MEDIUM] CVE-2017-0890 CVE-2017-0891 CVE-2017-0892 CVE-2017-0893 CVE-2017-0894 CVE-2017-0895 nextcloud: Multiple security issues
CVE-2017-0890 CVE-2017-0891 CVE-2017-0892 CVE-2017-0893 CVE-2017-0894 CVE-2017-0895 nextcloud: Multiple security issues
Multiple vulnerabilities were found in nextcloud server.
CVE-2017-0890 - Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.
https://nextcloud.com/security/advisory/?id=nc-sa-2017-007
CVE-2017-0891 - Nextcloud Server before 9.0.58 and 10.0.5 and 11.0.3 are vulnerable to an inadequate escaping of error messages leading to XSS vulnerabilities in multiple components.
https://nextcloud.com/security/advisory/?id=nc-sa-2017-008
CVE-2017-0892 - Nextcloud Server before 11.0.3 is vulnerable to an improper session h
HackerOne
Calendar and addressbook names disclosed (NC-SA-2017-012)
hackerone·2017-05-08·CVSS 3.5
[LOW] Calendar and addressbook names disclosed (NC-SA-2017-012)
Calendar and addressbook names disclosed (NC-SA-2017-012)
#[Calendar and addressbook names disclosed (NC-SA-2017-012)](https://nextcloud.com/security/advisory/?id=nc-sa-2017-012)
**Risk level:** Low
**CVSS v3 Base Score:** 3.5 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)
**CWE:** Information Exposure Through Directory Listing (CWE-548)
#Description
A logical error caused disclosure of calendar and addressbook names to other logged-in users. Note that no actual content of the calendar and adressbook has been disclosed.
#Affected Software
- Nextcloud Server < 11.0.2 (CVE-2017-0895)
- Nextcloud Server < 10.0.4 (CVE-2017-0895)
#Action Taken
The error has been fixed and regression tests been added.
#Acknowledgements
The Nextcloud team thanks the following people for their research and responsibl
2017-05-08
Published