Impact
The Two-Factor Authentication wasn't enforced for pages marked as public. Any page marked as @PublicPage could thus be accessed with a valid user session that isn't authenticated.
This particularly affects the Nextcloud Talk application, as this could be leveraged to gain access to any private chat channel without going through the Two-Factor flow.
Patches
It is recommended that the Nextcloud Server is upgraded to 20.0.13, 21.0.5 or 22.2.0.
Workarounds
None.
References
For more information
If you have any questions or comments about this advisory:
Impact
The Two-Factor Authentication wasn't enforced for pages marked as public. Any page marked as
@PublicPagecould thus be accessed with a valid user session that isn't authenticated.This particularly affects the Nextcloud Talk application, as this could be leveraged to gain access to any private chat channel without going through the Two-Factor flow.
Patches
It is recommended that the Nextcloud Server is upgraded to 20.0.13, 21.0.5 or 22.2.0.
Workarounds
None.
References
For more information
If you have any questions or comments about this advisory: