You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is not a big security issue (as you need to be logged-in to get that response), but this is data that an attacker shouldn't be able to know easily.
This happens on a brand new install after using the web installer.
Steps to reproduce
Do a GET request on /ocs/v1.php/cloud/user?format=json
Expected behavior
No sensitive information being sent to the client.
Installation method
Community Web installer on a VPS or web space
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.1
Web server
Other
Database engine version
SQlite
Is this bug present after an update or on a fresh install?
No response
Are you using the Nextcloud Server Encryption module?
No response
What user-backends are you using?
Default user-backend (database)
LDAP/ Active Directory
SSO - SAML
Other
Configuration report
No response
List of activated Apps
not important
Nextcloud Signing status
No response
Nextcloud Logs
No response
Additional info
No response
The text was updated successfully, but these errors were encountered:
Hi, please update to 24.0.9 or better 25.0.3 and report back if it fixes the issue. Thank you!
My goal is to add a label like e.g. 25-feedback to this ticket of an up-to-date major Nextcloud version where the bug could be reproduced. However this is not going to work without your help. So thanks for all your effort!
Bug description
When doing a GET request on
/ocs/v1.php/cloud/user?format=json
the server returns user data, including one containing the full local server path:This is not a big security issue (as you need to be logged-in to get that response), but this is data that an attacker shouldn't be able to know easily.
This happens on a brand new install after using the web installer.
Steps to reproduce
/ocs/v1.php/cloud/user?format=json
Expected behavior
No sensitive information being sent to the client.
Installation method
Community Web installer on a VPS or web space
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.1
Web server
Other
Database engine version
SQlite
Is this bug present after an update or on a fresh install?
No response
Are you using the Nextcloud Server Encryption module?
No response
What user-backends are you using?
Configuration report
No response
List of activated Apps
Nextcloud Signing status
No response
Nextcloud Logs
No response
Additional info
No response
The text was updated successfully, but these errors were encountered: