Nextcloud: Nextcloud update checks leaks information

Hi, I think this is more of a privacy concern than a security concern. However I wanted to check here first. Please direct me to an other suitable location if needed. It is in relation to https://github.com/nextcloud/server/blob/master/lib/private/Updater/VersionCheck.phpL78 This is sending sever...

openSUSE: Security Advisory for nextcloud-desktop (openSUSE-SU-2021:0577-1)

The remote host is missing an update for the Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

Nextcloud: Attacker can obtain write access to any federated share/public link

Hi mates, I stumbled across this with public links. But the same holds true for any federated share. I will try to describe the link scenario. At first I thought there were more steps and resharing was involved. But it really is very simples: 1. An attacker obtains a public link again plenty of...

Nextcloud: Password policy changes not enforced for existing passwords

So this is two reports in one. Sort of. But they are the same issue, or at least related. 1. When you setup your nextcloud there is no password policy at all. There is the strength indicator. I get the password policy app is not yet active at that point. But a minimum length would not be that...

Nextcloud: Targeted phishing attacks in Login flow v2

Vulnerability description not provided...

OPENSUSE-SU-2021:0577-1 Security update for nextcloud-desktop

This update for nextcloud-desktop fixes the following issues: nextcloud-desktop was updated to 3.1.3: - desktop2884 stable-3.1 Add support for Hirsute - desktop2920 stable-3.1 Validate sensitive URLs to onle allow https schemes. - desktop2926 stable-3.1 Validate the providers ssl certificate -...

Cross-Site Scripting (XSS)

@nextcloud/dialogs is vulnerable to cross-site scripting XSS. A remote attacker is able to inject and execute arbitrary Javascript in a user's browser via a toast message...

Security update for nextcloud-desktop (important)

openSUSE Security Update: Security update for nextcloud-desktop Announcement ID: openSUSE-SU-2021:0577-1 Rating: important References: 1184770 Cross-References: CVE-2021-22879 CVSS scores: CVE-2021-22879 SUSE: 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L Affected Products: openSUSE Leap 15.2 ...

Nextcloud: Nextcloud deck sharee search leaks searches to lookupserver by default

So, in short this is related to the other 2 reports https://hackerone.com/reports/1167916 and https://hackerone.com/reports/1167919 While I could not find deck on your h1 page. I kind of assume it is in scope as well as this is something you sell with the 'groupware' subscription...

Nextcloud: File drop public link can also be converted to federated share

So bear with me. Because this one requires some user interaction and makes some assumptions. 1. victim creates a files drop public link 2. attacker has that link 3. the 'add to your nextcloud is hidden' but if you manually craft the request and send it a federated share will still be created. for...

Nextcloud: Default Nextcloud server config and iOS Nextcloud client leak sharee searches to Nextcloud

In short this is the same as https://hackerone.com/reports/1167916 but then for iOS so please forgive the copy paste On a clean Nextcloud setup the functionality "Search global and public address book for users" is enabled. Now when searching for a sharee to share with. The lookup parameter is no...

Nextcloud: Default Nextcloud Server and Android Client leak sharee searches to Nextcloud

On a clean Nextcloud setup the functionality "Search global and public address book for users" is enabled. Now when searching for a sharee to share with. The lookup parameter is not passed to the server. Resulting in...

Nextcloud: Trusted servers exchange can be triggered by attacker

Hi again, So this seems to be less bad these days as the trusted servers are no longer enabled by default however they were some versions ago. The trusted servers exchanged the full user list with another server. As soon as 1 federated share is created between two instances. It is questionable if...

Nextcloud: Federated shares are not password protected

Hi again, So more from me. Bare with me because this is a highly theoretical issue. But I never the less thing it should be mitigated. Or at least disclosed. Premissie: 1. user1 on serverA has a federated share established with user2 on serverB 2. the database not the full system of serverB is...

Nextcloud: Unexpected federated shares added via public link

So I'm not 100% sure if this is an security issue or not. But it is in my opinion at least unexpected and could be handled better to make sure people trust the system. 1. Get a public link share again plenty of those around 2. Click the 'add to your Nextcloud' 3. A federated share is added/create...

@nextcloud/vue (>=2.1.0 <=2.7.0) potentially affected by CVE-2021-29438 via @nextcloud/dialogs (>=1.4.0 <=2.0.1)

@nextcloud/dialogs NPM version =1.4.0, =2.1.0, =2.7.0 Source cves: CVE-2021-29438 Source advisory: OSV:GHSA-G3FQ-3V3G-MH32...

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in @nextcloud/dialogs

Impact The Nextcloud dialogs library before 3.1.2 did insufficiently escape text input passed to a toast. If your application displays toasts with user-supplied input, this could lead to a XSS vulnerability. Note: Nextcloud Server employs a strict Content Security Policy that mitigates the risk o...

GHSA-G3FQ-3V3G-MH32 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in @nextcloud/dialogs

Impact The Nextcloud dialogs library before 3.1.2 did insufficiently escape text input passed to a toast. If your application displays toasts with user-supplied input, this could lead to a XSS vulnerability. Note: Nextcloud Server employs a strict Content Security Policy that mitigates the risk o...

openSUSE: Security Advisory for nextcloud (openSUSE-SU-2021:0262-1)

The remote host is missing an update for the Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

DEBIAN-CVE-2021-22879

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for exploitation...