Impact
Sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS.
Patches
Patched in user_oidc v1.2.1
Workarounds
Use https to access Nextcloud. Set an HTTPS discovery URL in the provider settings (in Nextcloud OIDC admin settings).
References
nextcloud/user_oidc#495
https://hackerone.com/reports/1687005
For more information
If you have any questions or comments about this advisory:
Impact
Sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS.
Patches
Patched in user_oidc v1.2.1
Workarounds
Use https to access Nextcloud. Set an HTTPS discovery URL in the provider settings (in Nextcloud OIDC admin settings).
References
nextcloud/user_oidc#495
https://hackerone.com/reports/1687005
For more information
If you have any questions or comments about this advisory: