I assume that attack works only if an attacker has valid user session (or credentials). In case of NextCloud on my company’s premises HTTPS or HTTP makes no difference to the attack vector - JSON which I get from web-app consist only few user details, like my login and name.
Still the vulnerability description seems unclear to me cause, cite: “with all username informations”
What ‘informations’ can obtain an attacker? Just usernames? Or usernames+passwords? Very ambiguous.
I can not confirm or reproduce the issue without testing OwnCloud environment, what may seem as obvious answer to my questions - test it yourself
Perhaps someone already made a research and can shed some light.