Nextcloud: Path traversal allows tricking the Talk Android app into writing files into it's root directory

Vulnerability description not provided...

Nextcloud: App stores client secret unencrypted in database

The client secret used to identify the Nextcloud server was stored in plain text in the database, making it vulnerable to unauthorized access...

Nextcloud: OAuth2 client_secret stored in plain text in the database

An OAuth2 client secret was stored in plain text in a database. If accessed without authorization, this would have allowed the client secret to be easily read, enabling impersonation of any OAuth2 client...

CVE-2023-31145

Collabora Online is a collaborative online office suite based on LibreOffice technology. This vulnerability report describes a reflected XSS vulnerability with full CSP bypass in Nextcloud installations using the recommended bundle. The vulnerability can be exploited to perform a trivial account...

Cross site scripting

Collabora Online is a collaborative online office suite based on LibreOffice technology. This vulnerability report describes a reflected XSS vulnerability with full CSP bypass in Nextcloud installations using the recommended bundle. The vulnerability can be exploited to perform a trivial account...

CVE-2023-31145

CVE-2023-31145 describes a reflected XSS with full CSP bypass in Collabora Online when installed with the Nextcloud bundle. The vulnerability allows an attacker to inject malicious code into pages and run in the victim’s browser session, enabling a trivial account takeover attack. Exploitation re...

CVE-2023-31145 Reflected XSS vulnerability in CollaboraOnline

Collabora Online is a collaborative online office suite based on LibreOffice technology. This vulnerability report describes a reflected XSS vulnerability with full CSP bypass in Nextcloud installations using the recommended bundle. The vulnerability can be exploited to perform a trivial account...

CVE-2023-31145 Reflected XSS vulnerability in CollaboraOnline

Collabora Online is a collaborative online office suite based on LibreOffice technology. This vulnerability report describes a reflected XSS vulnerability with full CSP bypass in Nextcloud installations using the recommended bundle. The vulnerability can be exploited to perform a trivial account...

Cross-Site Request Forgery (CSRF)

nextcloud-client is vulnerable to Cross-Site Request Forgery CSRF. A malicious attacker could make a user send a POST request with an arbitrary body if they click a malicious deep link on a windows based machine exploiting it to the vulnerability...

Collabora Online 跨站脚本漏洞

Collabora Online is an application from Collabora UK. A powerful LibreOffice-based online office that supports all major document, spreadsheet and presentation file formats. A cross-site scripting vulnerability exists in Collabora Online versions 22.05.13, 21.11.9, and 6.4.27, which stems from th...

PT-2023-23178 · Collabora · Collabora Online

Name of the Vulnerable Software and Affected Versions: Collabora Online versions prior to 22.05.13 Collabora Online versions prior to 21.11.9 Collabora Online versions prior to 6.4.27 Description: This issue describes a reflected XSS vulnerability with full CSP bypass in Nextcloud installations...

Nextcloud: Password reset endpoint is not brute force protected

The lostpassword flow in Nextcloud was missing brute force protection for the password reset endpoint, allowing attackers to potentially brute force the token without being throttled...

Nextcloud: User scoped external storage can be used to gather credentials of other users

Vulnerability description not provided...

Nextcloud: Open redirect on "Unsupported browser" warning

An open redirect vulnerability was found in Nextcloud's UnsupportedBrowser.vue component. Attackers could construct a malicious URL that includes the redirecturl parameter and a URL of their choice, which would redirect the user to the attacker's URL without validating the decoded URL or checking...

Missing Encryption Of Sensitive Data

nextcloud-client is vulnerable to Missing Encryption of Sensitive Data. The vulnerability is caused due to a Lack of authenticity of metadata keys allowing a malicious server to gain access to E2EE folders resulting in it being able to decrypt files, recover the folder structure and add new files...

Improper Certificate Validation

nextcloud-desktop is vulnerable to Improper Certificate Validation. Trusting the server to return a users keypair certificate, allows a malicious server to encrypt user files with a key known to the attacker causing improper certificate validation...

Nextcloud: Text does not respect 'Allow download' permissions

A security vulnerability was discovered in Nextcloud that allowed users to bypass the 'Allow download' permission for sensitive images shared in a folder. This vulnerability allowed unauthorized users to download the images, potentially leading to the leakage of sensitive information...

The vulnerability of cloud-based software for creating and using Nextcloud data storage allows a attacker to cause a service failure.

The vulnerability of cloud-based software for creating and using Nextcloud storage solutions is related to the lack of restrictions on the download of files. Exploiting this vulnerability can allow a malicious actor, operating remotely, to cause service failures by downloading arbitrary files ont...

The vulnerability of cloud-based software for creating and using Nextcloud data storage allows a hacker to induce a service failure.

The vulnerability of cloud-based software for creating and using Nextcloud storage solutions is related to the use of a name with an incorrect reference. Exploiting this vulnerability could allow a malicious actor to cause service failures...

The vulnerability of cloud-based software for creating and using Nextcloud data storage allows a hacker to execute arbitrary code.

The vulnerability of cloud-based software for creating and using Nextcloud data storage solutions is related to the lack of security measures taken to protect the website structure. Exploiting this vulnerability allows a malicious actor to execute arbitrary code on the target system remotely...