Skip to content

File path disclosure of shared files in OfficeOnline application

Low
LukasReschke published GHSA-56wm-r6jm-3v9h Oct 25, 2021

Package

OfficeOnline (Nextcloud)

Affected versions

< 1.1.1

Patched versions

1.1.1

Description

Impact

The Nextcloud OfficeOnline application did return verbatim exception messages to the user. This could result in a full path disclosure on shared files. (e.g. an attacker could see that the file shared.txt is located within /files/$username/Myfolder/Mysubfolder/shared.txt)

Patches

It is recommended that the OfficeOnline application is upgraded to 1.1.1.

Workarounds

Disable the OfficeOnline application in the app settings.

References

For more information

If you have any questions or comments about this advisory:

Severity

Low

CVE ID

CVE-2021-39224

Weaknesses