Impact
An attacker is able to convert a Files Drop link to a federated share. This causes an issue on the UI side of the sharing user. When the sharing user opens the sharing panel and tries to remove the "Create" privileges of this unexpected share, Nextcloud server would silently grant the share read privileges.
Patches
It is recommended that the Nextcloud Server is upgraded to 19.0.11, 20.0.10 or 21.0.2.
Workarounds
None.
References
For more information
If you have any questions or comments about this advisory:
Impact
An attacker is able to convert a Files Drop link to a federated share. This causes an issue on the UI side of the sharing user. When the sharing user opens the sharing panel and tries to remove the "Create" privileges of this unexpected share, Nextcloud server would silently grant the share read privileges.
Patches
It is recommended that the Nextcloud Server is upgraded to 19.0.11, 20.0.10 or 21.0.2.
Workarounds
None.
References
For more information
If you have any questions or comments about this advisory: