CVE-2017-0895

low

Published 2017-05-08 · Modified 2026-05-13

CVSS v3

3.5

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CVSS v2

3.5

VIR risk

3.5

Description

Nextcloud Server before 10.0.4 and 11.0.2 are vulnerable to disclosure of calendar and addressbook names to other logged-in users. Note that no actual content of the calendar and addressbook has been disclosed.

Predictions

Exploit likelihood

45%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: support@hackerone.com — https://nextcloud.com/security/advisory/?id=nc-sa-2017-012

Application impact

Vendor	Product	Versions	Fixed
nextcloud	nextcloud_server	`{"startIncluding":"10.0.0","endExcluding":"10.0.4"}`	`10.0.4`

References

https://hackerone.com/reports/203594
https://nextcloud.com/security/advisory/?id=nc-sa-2017-012
https://hackerone.com/reports/203594
https://nextcloud.com/security/advisory/?id=nc-sa-2017-012

CWEs

CWE-285 CWE-200

Verify integrity in audit chain (admin only). AS-IS.