In Nextcloud Server versions prior to 21.0.3, there was a lack of ratelimiting on the public share link mount endpoint. This may have allowed an attacker to enumerate potentially valid share tokens.
In Nextcloud Server versions prior to 21.0.3, there was a lack of ratelimiting on the public share link mount endpoint. This may have allowed an attacker to enumerate potentially valid share tokens.
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-crvj-vmf7-xrvr https://hackerone.com/reports/1192144 https://github.com/nextcloud/server/pull/26958 https://github.com/nextcloud/server/commit/1ed66f2ac17a2b4effba46a13ed735b67a1e94ba