CVE-2019-15623 : Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nex

Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled.

Published 2020-02-04 20:15:13

Updated 2021-10-29 16:23:00

Source HackerOne

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2019-15623

Probability of exploitation activity in the next 30 days: 0.18%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 54 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2019-15623

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2019-15623

CWE-359 Exposure of Private Personal Information to an Unauthorized Actor

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

Assigned by: support@hackerone.com (Secondary)

References for CVE-2019-15623

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00022.html

[security-announce] openSUSE-SU-2020:0229-1: moderate: Security update f
Third Party Advisory

CVEs referencing this url
https://hackerone.com/reports/508490

#508490 Nextcloud domain and name of every user leaked to lookup server
Exploit;Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00019.html

[security-announce] openSUSE-SU-2020:0220-1: moderate: Security update f
Mailing List;Third Party Advisory

CVEs referencing this url
https://nextcloud.com/security/advisory/?id=NC-SA-2019-016

advisory – Nextcloud
Third Party Advisory;Vendor Advisory

Products affected by CVE-2019-15623

Suse » Package Hub » Version: N/A
cpe:2.3:a:suse:package_hub:-:*:*:*:*:*:*:*
Matching versions
Opensuse » Backports Sle » Version: 15.0 Update SP1
cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
Matching versions
Nextcloud » Nextcloud Server
Versions before (<) 14.0.13
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
Matching versions
Nextcloud » Nextcloud Server
Versions from including (>=) 16.0.0 and before (<) 16.0.2
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
Matching versions
Nextcloud » Nextcloud Server
Versions from including (>=) 15.0.0 and before (<) 15.0.9
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2019-15623

Exploit prediction scoring system (EPSS) score for CVE-2019-15623

CVSS scores for CVE-2019-15623

CWE ids for CVE-2019-15623

References for CVE-2019-15623

Products affected by CVE-2019-15623