CVE-2022-39333

CVE-2022-39333 affects the Nextcloud Desktop Client. An attacker can inject arbitrary HTML into the Desktop Client application, enabling potential HTML/JS injection via the UI. Affected software: Nextcloud Desktop client prior to upgrade. Mitigation: upgrade to Nextcloud Desktop version 3.6.1 or ...

Nextcloud 信任管理问题漏洞

Nextcloud is an open source, self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany. A trust management issue vulnerability exists in versions of Nextcloud desktop prior to 3.6.1, which stems from the possibility of incorrectly trusting invalid TLS...

CVE-2022-41926

CVE-2022-41926 concerns the Nextcloud Talk Android app. The receiver component is not protected by broadcastPermission in affected versions, enabling a malicious app to monitor communication locally. The issue is tied to Nextcloud Talk Android prior to 14.1.0. Remediation in all sources is to upg...

CVE-2022-41926 Nextcloud Talk Android broadcast incorrect permission handling

Nextcould talk android is the android OS implementation of the nextcloud talk chat system. In affected versions the receiver is not protected by broadcastPermission allowing malicious apps to monitor communication. It is recommended that the Nextcloud Talk Android is upgraded to 14.1.0. There are...

Nextcloud 跨站脚本漏洞

Nextcloud is an open source suite of self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany. A cross-site scripting vulnerability exists in Nexcloud desktop versions prior to 3.6.1, which originates from an attacker being able to inject arbitrary...

CVE-2022-39333 Cross-site scripting (XSS) in Nextcloud Desktop Client

Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue...

CVE-2022-39332 Cross-site scripting (XSS) in Nextcloud Desktop Client

Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application via user status and information. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for...

CVE-2022-39338 Stored cross site scripting (XSS) vulnerability via Authorization Endpoint in user_oidc

useroidc is an OpenID Connect user backend for Nextcloud. Versions prior to 1.2.1 did not properly validate discovery urls which may lead to a stored cross site scripting attack vector. The impact is limited due to the restrictive CSP that is applied on this endpoint. Additionally this...

CVE-2022-41926 Nextcloud Talk Android broadcast incorrect permission handling

Nextcould talk android is the android OS implementation of the nextcloud talk chat system. In affected versions the receiver is not protected by broadcastPermission allowing malicious apps to monitor communication. It is recommended that the Nextcloud Talk Android is upgraded to 14.1.0. There are...

CVE-2022-39334 nextcloudcmd incorrectly trusts bad TLS certificates

Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or...

CVE-2022-39339

Summary of CVE-2022-39339 : The Nextcloud OpenID Connect user backend, named user_oidc , is affected in versions prior to 1.2.1. The root cause is that sensitive data such as OIDC client credentials and tokens could be transmitted in plain HTTP (no TLS), enabling interception by anyone monitoring...

CVE-2022-39333 Cross-site scripting (XSS) in Nextcloud Desktop Client

Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue...

CVE-2022-39338 Stored cross site scripting (XSS) vulnerability via Authorization Endpoint in user_oidc

useroidc is an OpenID Connect user backend for Nextcloud. Versions prior to 1.2.1 did not properly validate discovery urls which may lead to a stored cross site scripting attack vector. The impact is limited due to the restrictive CSP that is applied on this endpoint. Additionally this...

Nextcloud: Ability to control the filename when uploading a logo or favicon on theming

A vulnerability existed in Nextcloud that allowed an attacker to control the filename of a logo or favicon when uploading it, by modifying the key. This could result in the attacker uploading any files directly in the webapp and path disclosure. The vulnerability has been fixed...

Arbitrary Code Execution

nextcloud is vulnerable to arbitrary code execution. If a user received a malicious file share and has it synced locally or the virtual file system enabled and clicked a nc://open/ link it will open the default editor for the file type of the shared file, which on windows means that a file...

Nextcloud has an unspecified vulnerability (CNVD-2022-77502)

A security vulnerability exists in Nextcloud Desktop Client, an open source self-hosted file synchronization and sharing communication application platform from Nextcloud Germany, which stems from the fact that its desktop client could be tricked into opening/executing local files when clicking o...

CVE-2022-41882

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. In version 3.6.0, if a user received a malicious file share and has it synced locally or the virtual filesystem enabled and clicked a nc://open/ link it will open the default editor for the file...

DEBIAN-CVE-2022-41882

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. In version 3.6.0, if a user received a malicious file share and has it synced locally or the virtual filesystem enabled and clicked a nc://open/ link it will open the default editor for the file...

CVE-2022-41882

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. In version 3.6.0, if a user received a malicious file share and has it synced locally or the virtual filesystem enabled and clicked a nc://open/ link it will open the default editor for the file...

Design/Logic Flaw

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. In version 3.6.0, if a user received a malicious file share and has it synced locally or the virtual filesystem enabled and clicked a nc://open/ link it will open the default editor for the file...