A missing access control check in Nextcloud Server < 18.0.1, < 17.0.4, and < 16.0.9 causes hide-download shares to be downloadable when appending /download to the URL. Upstream Advisory: https://nextcloud.com/security/advisory/?id=NC-SA-2020-015
Created nextcloud tracking bugs for this issue: Affects: epel-7 [bug 1838536] Affects: fedora-30 [bug 1838534] Affects: fedora-31 [bug 1838535]