| Severity |
|
| Remote |
|
| Type |
| - |
Unknown |
| + |
Information disclosure |
|
| Description |
| + |
In Nextcloud Server versions prior to 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. |
|
| References |
| + |
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-375p-cxxq-gc9p |
| + |
https://hackerone.com/reports/1173684 |
| + |
https://github.com/nextcloud/server/pull/26945 |
| + |
https://github.com/nextcloud/server/commit/6bc2d6d68e19212ed83a2f3ce51ddbfcefa248ae |
|
| Notes |
|