Vulnerability Details : CVE-2019-15623
Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled.
Products affected by CVE-2019-15623
- cpe:2.3:a:suse:package_hub:-:*:*:*:*:*:*:*
- cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
- cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-15623
0.19%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 57 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-15623
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2019-15623
-
The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.Assigned by: support@hackerone.com (Secondary)
References for CVE-2019-15623
-
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00022.html
[security-announce] openSUSE-SU-2020:0229-1: moderate: Security update fThird Party Advisory
-
https://hackerone.com/reports/508490
#508490 Nextcloud domain and name of every user leaked to lookup serverExploit;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00019.html
[security-announce] openSUSE-SU-2020:0220-1: moderate: Security update fMailing List;Third Party Advisory
-
https://nextcloud.com/security/advisory/?id=NC-SA-2019-016
advisory – NextcloudThird Party Advisory;Vendor Advisory
Jump to