CVE-2020-8154Authorization Bypass Through User-Controlled Key in Server

CWE-639Authorization Bypass Through User-Controlled Key6 documents4 sources
Severity
7.7HIGHNVD
EPSS
1.0%
top 23.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nextcloud Server
Timeline
PublishedMay 12
Latest updateMay 24

Description

An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:HExploitability: 3.1 | Impact: 4.0

Affected Packages2 packages

NVDnextcloud/nextcloud_server18.0.018.0.3+1
CVEListV5nextcloud/nextcloud_server18.0.3

🔴Vulnerability Details

2
GHSA
GHSA-r63f-25g5-v4wf: An Insecure direct object reference vulnerability in Nextcloud Server 182022-05-24
CVEList
CVE-2020-8154: An Insecure direct object reference vulnerability in Nextcloud Server 182020-05-12

💬Community

3
Bugzilla
CVE-2020-8153 CVE-2020-8154 CVE-2020-8155 CVE-2020-8156 nextcloud: multiple vulnerabilities2020-05-20
Bugzilla
CVE-2020-8153 CVE-2020-8154 CVE-2020-8155 CVE-2020-8156 nextcloud: multiple vulnerabilities [fedora-all]2020-05-20
Bugzilla
CVE-2020-8153 CVE-2020-8154 CVE-2020-8155 CVE-2020-8156 nextcloud: multiple vulnerabilities [epel-7]2020-05-20
CVE-2020-8154 — Nextcloud Server vulnerability | cvebase