CVE-2021-32766Information Exposure via Error Message in Security-advisories

CWE-209Information Exposure via Error Message2 documents2 sources
Severity
5.3MEDIUMNVD
EPSS
0.4%
top 40.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Server
Timeline
PublishedSep 7

Description

Nextcloud Text is an open source plaintext editing application which ships with the nextcloud server. In affected versions the Nextcloud Text application returned different error messages depending on whether a folder existed in a public link share. This is problematic in case the public link share has been created with "Upload Only" privileges. (aka "File Drop"). A link share recipient is not expected to see which folders or files exist in a "File Drop" share. Using this vulnerability an attack

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDnextcloud/nextcloud_server21.0.021.0.4+2
CVEListV5nextcloud/security-advisories< 20.0.12+2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Nextcloud Text app can disclose existence of folders in "File Drop" link share2021-09-07
CVE-2021-32766 — Information Exposure via Error Message | cvebase