UBUNTU-CVE-2022-39331

Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue...

Design/Logic Flaw

useroidc is an OpenID Connect user backend for Nextcloud. In versions prior to 1.2.1 sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS. Any malicious actor with access to monitor user traffic may have been able to compromise account...

Nextcloud: Messages can still be seen on conversation after expiring when cron is misconfigured

A vulnerability in Nextcloud Talk allowed expired chat messages to still be visible to anyone with access to the conversation, even after the message expiration time had passed...

Nextcloud: OAuth2 "authorization_code" is valid indefinetly

A security advisory reported that the OAuth2 endpoint was not following best practices, as the authorization code was generated without a timeout, allowing an attacker with access to obtain and redeem the code in the future...

nextcloudcmd incorrectly trusts bad TLS certificates

None...

XSS in Desktop Client in call notification popup

None...

XSS in Desktop Client via user status and information

None...

XSS in Desktop Client in the notifications

None...

Cleartext Transmission of Sensitive Information in user_oidc

None...

Missing length validation of user displayname allows to generate an SQL error

None...

Talk Android broadcast receiver is not protected by broadcastPermission allowing malicious apps to communicate

None...

PT-2022-24909 · Nextcloud · User Oidc

Name of the Vulnerable Software and Affected Versions: user oidc versions prior to 1.2.1 Description: The issue concerns the user oidc OpenID Connect user backend for Nextcloud, where sensitive information such as OIDC client credentials and tokens are sent in plain text over HTTP without TLS in...

CVE-2022-41926 Nextcloud Talk Android broadcast incorrect permission handling

Nextcould talk android is the android OS implementation of the nextcloud talk chat system. In affected versions the receiver is not protected by broadcastPermission allowing malicious apps to monitor communication. It is recommended that the Nextcloud Talk Android is upgraded to 14.1.0. There are...

CVE-2022-39331 Cross-site Scripting (XSS) in Nexcloud Desktop Client

Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue...

CVE-2022-39332 Cross-site scripting (XSS) in Nextcloud Desktop Client

Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application via user status and information. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for...

CVE-2022-39346 Missing length validation of user displayname in nextcloud server

Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did not properly limit user display names which could allow a malicious users to overload the backing database and cause a denial of service. It is recommended that the Nextcloud Server is upgraded to...

CVE-2022-39339 Cleartext Transmission of Sensitive Information in user_oidc

useroidc is an OpenID Connect user backend for Nextcloud. In versions prior to 1.2.1 sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS. Any malicious actor with access to monitor user traffic may have been able to compromise account...

CVE-2022-39334

CVE-2022-39334 affects the Nextcloud CLI tool nextcloudcmd (not the GUI/server). The vulnerability arises because nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, enabling a local attacker to perform a MITM to exfiltrate data or credentials. Affected versions are befo...

Nextcloud 跨站脚本漏洞

Nextcloud is an open source suite of self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany. A cross-site scripting vulnerability exists in Nexcloud desktop versions prior to 3.6.1, which allows an attacker to inject arbitrary hypertext markup...

Nextcloud 资源管理错误漏洞

Nextcloud is a suite of open source, self-hosted file synchronization and sharing communication application platform from Nextcloud Germany. A resource management error vulnerability exists in Nextcloud Server that stems from not properly restricting a user's display name, which could allow a...