| Severity |
|
| Remote |
|
| Type |
| - |
Unknown |
| + |
Information disclosure |
|
| Description |
| + |
In Nextcloud Server versions prior to 21.0.3, there was a lack of ratelimiting on the public share link mount endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. |
|
| References |
| + |
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-crvj-vmf7-xrvr |
| + |
https://hackerone.com/reports/1192144 |
| + |
https://github.com/nextcloud/server/pull/26958 |
| + |
https://github.com/nextcloud/server/commit/1ed66f2ac17a2b4effba46a13ed735b67a1e94ba |
|
| Notes |
|