Malicious code in nextcloud-mail (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 49b707040d71b3da11b82122e52723a5f64ca6b9384db7ab5b48995623e258af Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in nextcloud-register (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2317f28ae6ccf882edcce4b84c415b83e74e907d70fdbef61abccbcad87095b3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-4831 Malicious code in nextcloud-register (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2317f28ae6ccf882edcce4b84c415b83e74e907d70fdbef61abccbcad87095b3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-4829 Malicious code in nextcloud-mail (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 49b707040d71b3da11b82122e52723a5f64ca6b9384db7ab5b48995623e258af Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in nextcloud-activity (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c5be14942e4baffb9148a1ef55abac43b46bee3da640df6498632a2980795cf1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in nextcloud-cookbook (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 67a05fe7110f0b29da6c76fc1534cc2fcf9ff752fdc542306e5b83641defc79c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in nextcloud-news (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b8505e1d287500e7ff318e12f512cecdc2558579d1ebfbca10e7ab5ce53d1cc7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-4830 Malicious code in nextcloud-news (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b8505e1d287500e7ff318e12f512cecdc2558579d1ebfbca10e7ab5ce53d1cc7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-4827 Malicious code in nextcloud-cookbook (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 67a05fe7110f0b29da6c76fc1534cc2fcf9ff752fdc542306e5b83641defc79c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-4826 Malicious code in nextcloud-activity (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c5be14942e4baffb9148a1ef55abac43b46bee3da640df6498632a2980795cf1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in nextcloud-js-tests (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b16d1ebcc082e0916e1ebfbf2a580ae6ef9e6167138c0df20449a63917dcd6ff Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-4828 Malicious code in nextcloud-js-tests (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b16d1ebcc082e0916e1ebfbf2a580ae6ef9e6167138c0df20449a63917dcd6ff Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Nextcloud: @nextcloud/logger NPM package brings vulnerable ansi-regex version

Summary: Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS due to the sub-patterns \;? and ?:;-a-zA-Z\d\/&.:=?%@. Details: Denial of Service DoS describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate...

Nextcloud: Generated passwords are not fully validated by HIBPValidator

Summary: If the Nextcloud server generates a secure random password e.g. for sharing files, the validation is checked before the shuffle function strshuffle is called. In very rare cases it could happen, that a password is validated by HIBPValidator before strshuffle, but would not validate after...

Nextcloud: Information exposure in in guzzlehttp/guzzle (https://github.com/nextcloud/3rdparty/tree/master/guzzlehttp/guzzle)

Summary: Affected versions of this package are vulnerable to Information Exposure which fails to strip the Authorization header on HTTP downgrade, this depency is out of date and it can leat to still authorization header. Steps To Reproduce:...

Nextcloud: Brute force protections don't work

Summary: Most of the brute force protections don't actually throttle the response and so they are not logging negative attempts Search for functions with the @BruteForceProtection annotation and check that they call throttle on the response at least conditionally. Impact Brute force protection is...

Nextcloud: Lack of Brute force protection while joining video call in talk section which is password protected

Advisory at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pf36-jvpv-4hwq...

Nextcloud: Talk Android broadcast receiver is not protected by broadcastPermission allowing malicious apps to communicate

Summary: Call to registerReceiver misses the broadcastPermission argument - no permissions will be checked for the broadcaster, which allows a malicious application to communicate with the broadcast receiver. Supporting Material/References: Screenshot Snyk report references to fixes in other repo...

Nextcloud: Calendar name length not validated before writing to database

Security advisory at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m92j-xxc8-hq3v...

Nextcloud: Missing character limitation allows to put generate a database error

Hi Security Team, Summary: ========= There is no limit to the number of characters in the display name, which allows a DoS attack. The DoS attack affects server-side. Description ========= On the input form of Username in nextcloud.com/settings/user there's no Input validation using this you can...