Nextcloud: Mail app - blind SSRF via smtpHost parameter

A blind SSRF vulnerability was discovered in the Nextcloud Mail application, allowing an attacker to retrieve services running locally on the server and scan the internal network for information. The vulnerability was found in the smtpHost parameter and could be exploited by any user with the mai...

Nextcloud: Disabled download shares still allow download through preview images

Summary: Steps To Reproduce: 1. Share a folder and disable the "Allow download" permission 2. Now as the recipient of the file you can still download the preview of the file This is an issue for images but also for shared documents where viewing them in Collabora would present them watermarked bu...

Nextcloud: Hide download previews are accessible without a watermark

A vulnerability was discovered in Nextcloud that allowed users to access download previews without a watermark, even when the watermark option was enabled. This could potentially compromise the privacy of the document and goes against the intended purpose of the feature...

Nextcloud: Insecure randomness for default password in file sharing when password policy app is disabled

The password generation function used for protecting shared links in Nextcloud was using an insecure random number generator, which could allow an attacker to access the shared files without knowledge of the password...

Nextcloud: Mail app - Blind SSRF via Sierve server fonctionnality and sieveHost parameter

A blind SSRF vulnerability was discovered in the Nextcloud Mail application, allowing an attacker to map the server and internal network by sending a crafted request to an unexpected destination. The vulnerability was found in the sieveHost parameter when adding a filter via a sieve filter server...

Nextcloud: CSRF vulnerability in Nextcloud Desktop Client 3.6.1 on Windows when clicking malicious link

Summary It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link. e.g. in an email, chat link, etc This vulnerability was introduced in an attempt to fix 1720043. The patch however can be bypassed and also introduced a CSRF vulnerability...

Nextcloud: Mail app - blind SSRF via imapHost parameter

A blind SSRF vulnerability was discovered in the Nextcloud Mail application. An attacker could exploit this vulnerability to retrieve services running locally on the server and scan the internal network for information about which IPs are responding and which services are running on each IP...

Nextcloud: Secure view trivial to bypass

The secure view feature in Nextcloud was vulnerable to bypassing, allowing users to download files without watermarks. This was possible by using the richdocuments app and adding "/contents" to the URL. The checkbox indicating that downloading is not allowed was misleading, and a solution could b...

Nextcloud: Download permissions can be changed by resharer

Download permissions in Nextcloud 25 could be changed by a resharer, rendering the secure view feature for internal shares useless. This allowed users to download files without the watermark and other security measures...

Nextcloud: Suspicious login app ships old league/flysystem version

A vulnerability in the Suspicious Login app allowed a remote attacker to execute arbitrary code on the target system due to a race condition. The vulnerability was caused by an outdated version of the Flysystem library 0.1.0 - 2.1.0 that allowed a malicious user to upload and execute arbitrary co...

Nextcloud: Desktop client can be tricked into opening/executing local files when clicking a nc://open/ link

The Nextcloud Desktop Client in version 3.6.0 was vulnerable to a Remote Code Execution that could be exploited by anyone who could upload files to an instance the user had access to. The vulnerability was caused by the insecure implementation of the "local edit" feature, which allowed attackers ...

Nextcloud: XSS in Desktop Client in call notification popup

Summary: The Nextcloud Desktop Client application does not properly neutralize the name of a group conversation before using it. Steps To Reproduce: Server Machine: 1. Install the Nextcloud Server application 2. Create an administrator account 3. Create a user account Client Machine: 4. Install t...

Nextcloud: Vulnerable moment-timezone version shipped

An information exposure vulnerability was found in the moment-timezone package used by Nextcloud server. Attackers could sniff network traffic during data transmission, making exploitation easier. The vulnerability was patched in version 0.5.35 by changing the FTP endpoint with an HTTPS endpoint...

Nextcloud: XSS in Desktop Client via user status and information

Summary: The Nextcloud Desktop Client application does not properly neutralize the Full Name and Status Message of users before using them. Steps To Reproduce: Server Machine: 1. Install the Nextcloud Server application 2. Log into your account 3. Navigate to your profile page 4. Set the Full Nam...

Nextcloud: Guests can continue to receive video streams from call after being removed from a conversation

Summary: If the HPB is used and a guest is removed from a conversation while said guest is in a call the guest will no longer appear in the participant list and the call will appear as ended for the other participants. However, for the guest the call UI is still shown. If other participants start...

Nextcloud Server < 23.0.8, 24.x < 24.0.4 SSRF Vulnerability (GHSA-rmf9-w497-8cq8)

Nextcloud Server is prone to a server-side request forgery SSRF vulnerability. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Nextcloud Server < 23.0.7, 24.x < 24.0.3 Information Disclosure Vulnerability (GHSA-vqgm-f748-g76v)

Nextcloud Server is prone to an information disclosure vulnerability. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Nextcloud: SSRF via filter bypass due to lax checking on IPs

A lax checking on IPs in NextCloud allowed for a filter bypass vulnerability that could be exploited by attackers to gain SSRF. The filtration technique failed when met with some of the more advanced SSRF payloads like the alphanumeric ones, allowing attackers to bypass IP filters and gain access...

CVE-2022-39212

Nextcloud Talk is an open source chat, video & audio calls client for the Nextcloud platform. In affected versions an attacker could see the last video frame of any participant who has video disabled but a camera selected. It is recommended that the Nextcloud Talk app is upgraded to 13.0.8 or...

CVE-2022-39210

Nextcloud android is the official Android client for the Nextcloud home server platform. Internal paths to the Nextcloud Android app files are not properly protected. As a result access to internal files of the from within the Nextcloud Android app is possible. This may lead to a leak of sensitiv...