CVE-2021-39224

Name of the Vulnerable Software and Affected Versions Nextcloud OfficeOnline versions prior to 1.1.1

Description The Nextcloud OfficeOnline application returned verbatim exception messages to the user, which could result in a full path disclosure on shared files. For example, an attacker could see that the file shared.txt is located within /files/$username/Myfolder/Mysubfolder/shared.txt.

Recommendations For versions prior to 1.1.1, upgrade the OfficeOnline application to 1.1.1. As a temporary workaround, consider disabling the OfficeOnline application in the app settings until a patch is available.