Uploading files to a folder where invited user don't have any EDIT privilege

Disclosed: 2016-07-19 13:06:41 By detroitsmash To nextcloud

Unknown

Vulnerability Details

Hi, Any invited user to a shared folder with no edit privilege can create files in it through copy feature of ``Nextclod`` android app. ### Steps to reproduce it + Create any folder and invite a user in it without any edit privilege. + Now login from invited user account through android app. + Copy any file from your ``nextcloud`` root folder to shared folder. + Check nextcloud web app!! Copied file will show in shared folder Thanks

Actions

View on HackerOne

Report Stats

Report ID: 145950
State: Closed
Substate: resolved
Upvotes: 9

Uploading files to a folder where invited user don't have any EDIT privilege

Vulnerability Details

Actions

Report Stats

Share this report