CVE-2020-8154

An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint.

Published: May 12, 2020
Updated: Apr 14, 2023
CVE: CVE-2020-8154
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.7
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:L/Au:S/C:N/I:N/A:C

CWEs:

CWE-639

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
nextcloud / nextcloud_server	18.0.0	18.0.3
nextcloud / nextcloud_server	-	17.0.5

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00037.html
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00038.html
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00040.html
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html
https://hackerone.com/reports/819807
https://lists.fedoraproject.org/archives/list/[email protected]/message/KC6HLX5SG4PZO6Y54D2LFJ4ATG76BKOP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KC6HLX5SG4PZO6Y54D2LFJ4ATG76BKOP/
https://nextcloud.com/security/advisory/?id=NC-SA-2020-018

Vulnerability Database

289,697

CVE-2020-8154