User Editable nextcloud Wiki pages of Public Repositories
Discovered by chernobyl on Nextcloud

This issue was not triaged and was closed after 0 Days and 11 hours days.



Summary :

I have found that the "Edit" Permissions of WIKI pages are NOT disabled on the public repositories of nextcloud. Generally Edit permissions are given only to the collaborators of a specific repository. but that is not the case with Nextcloud, It is public editable which isn't right in terms of security.

An attacker can create a new Wiki page for this particular nextcloud Github Wiki page : There is no restriction on it.

https://github.com/nextcloud/logreader/wiki

An attacker could include any content/links and direct users to other similar nextcloud pages to steal user information. Attacker could even provide false information about the user to provide their private keys or passwords using a form/page.

Impact

These wikis should not be publicly editable due to the possibility of abuse through hacktivities such as Phishing, Defacement, etc

Many companies (even on hackerone) are correcting this issue and removing the "Edit" Permissions to the wiki page of public repositories.