Scoped apptokens can be changed by that very apptoken

I noticed that there is the possibility to limit apptokens to not be able to access the filesystem. 1. Create a new apptoken in `https://server/settings/user/security` 2. Click the .. of your new apptoken and make it not allowed to access the filesystem 3. Log out 4. Navigate to `https://server/remote.php/dav` and login with your username + apptoken 5. Navigate again to `https://server/settings/user/security` 6. You won't be able to access the apptoken data 7. Obtain the CSRF token 8. Send a PUT request to `https://server/settings/personal/authtokens/ID` chaging the scope Now the ID you do not know. However even on a decent sized system it is not hard to iterate this as there is no rate limiting or throttling at all. And voila. You have filesystem access. You could also remove other apptokens of the same user (if you'd want). ## Impact Leaked scoped tokens could be used to gain full access to all your data. Defeating the whole purpose of scoped tokens. I recommend. 1. Only allow tokens that result from a real login (so user+pass+2fa) to modify/delete tokens 2. Do not allow the current token in use to edit itself