CVE-2019-15611

EPSS 1.1%CWE-657

In short

The Nextcloud iOS app version 2.23.0 unintentionally shares user login credentials and authentication tokens with other Nextcloud services during certain operations like searching for federated users or setting up push notifications. This exposes sensitive authentication data that should remain private.

Technical detail

The application violates secure design principles by transmitting authentication credentials and session tokens to external Nextcloud services without proper isolation or credential handling during federated user search and push notification registration flows. An attacker controlling a federated Nextcloud instance or intercpting inter-service communication could capture exposed credentials, potentially leading to unauthorized access across multiple Nextcloud deployments.

Summary generated and translated by AI from the official description.

Violation of Secure Design Principles in the iOS App 2.23.0 causes the app to leak its login and token to other Nextcloud services when search e.g. for federated users or registering for push notifications.

Affected products

n/a · Nextcloud iOS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://hackerone.com/reports/672623 https://nextcloud.com/security/advisory/?id=NC-SA-2019-017