CVE-2020-8280

A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to perform cross-site scripting XSS attacks...

Cross site scripting

A missing file type check in Nextcloud Contacts 3.3.0 allows a malicious user to upload malicious SVG files to perform cross-site scripting XSS attacks...

Cross site scripting

A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to perform cross-site scripting XSS attacks...

CVE-2020-8280

A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to perform cross-site scripting XSS attacks...

CVE-2020-8280

CVE-2020-8280 — Nextcloud Contacts 3.4.0 suffers from a missing file type check that lets an attacker upload SVG files with a PNG extension to trigger cross-site scripting (XSS) when viewing a contact image. The issue is documented across multiple feeds (NVD/NSS, CNVD, Red Hat, OSV, CNVD) and is ...

CVE-2020-8281

Nextcloud Contacts 3.3.0 is affected by a missing file type check that allows uploading SVG files, enabling cross-site scripting (XSS). The issue is documented in the Nextcloud advisory NC-SA-2020-045 and corroborated by CNVD/NVD entries and a related HackerOne report, indicating practical XSS vi...

CVE-2020-8281

A missing file type check in Nextcloud Contacts 3.3.0 allows a malicious user to upload malicious SVG files to perform cross-site scripting XSS attacks...

Nextcloud 跨站脚本漏洞

Nextcloud Contacts is the user interface for Nextcloud's CardDAV server. A cross-site scripting vulnerability exists in Nextcloud Contacts 3.4.0. The vulnerability stems from a missing file type check. The vulnerability can be exploited to conduct cross-site scripting attacks by uploading SVG fil...

Nextcloud 跨站脚本漏洞

Nextcloud Contacts is the user interface for Nextcloud's CardDAV server. A cross-site scripting vulnerability exists in Nextcloud Contacts 3.3.0. The vulnerability stems from a missing file type check. An attacker can exploit this vulnerability by uploading a malicious SVG file to conduct a...

Nextcloud: Database error shown to the user when using a long guest name in richdocuments

When sharing a file to a guest and the file is allow for editing, the user is asked to enter a guestname if you enter a really long value for that name you get a database error that displays sensitive information: An exception occurred while executing 'INSERT INTO...

Nextcloud: Acting under any different user via DB-stored credentials

The issue is related to all Nextcloud versions. It is not patched yet. All versions 18-20 seems to be vulnerable. The issue came up in the following environment: - nextcloud docker image 20.0.2 and 20.0.3 - LDAP authentication - external SMB shares via DB stored credentials The problem came up...

Nextcloud: Two-factor authentication enforcement bypass

the attacker could bypass the two-factor authentication enforcement Steps to reproduce 1. Login with an Administrator account. 2. Click on your administrator profile icon. 3. Users - Add group - group name: Enforcement. 4. New User - Username: Bypass - Password: NextCloudEnforcement - Add User in...

Nextcloud Server 19.0.1 Encryption Vulnerability (NC-SA-2020-039)

Nextcloud Server is prone to a vulnerability where it is possible to downgrade the encryption scheme and break the integrity through known-plaintext attack. SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the...

Nextcloud Server File Block Overwrite Vulnerability (NC-SA-2020-038)

Nextcloud Server is prone to a vulnerability where Message Authentication Codes calculated by the Default Encryption Module allow an attacker to silently overwrite blocks in a file. SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and...

Nextcloud Trust Management Issues Vulnerabilities

Nextcloud is a set of open source self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany. A vulnerability with trust management issues exists in versions prior to Nextcloud Social 0.4.0, which stems from a failure to validate server credentials for...

Nextcloud Social app access control error vulnerability

Nextcloud Nextcloud Social app is a social application from Nextcloud Germany. An access control error vulnerability exists in version 0.3.1 of the Nextcloud Social app. The vulnerability is related to the control system of the affected version not properly handling user access requests. There is...

Nextcloud: Clickjacking URLS

Hey Team While performing security testing of your websites i have found the vulnerability called Clickjacking. Many URLS are in scope and vulnerable to Clickjacking. The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The...

CVE-2020-8279

Missing validation of server certificates for out-going connections in Nextcloud Social 0.4.0 allowed a man-in-the-middle attack...

CVE-2020-8278

Improper access control in Nextcloud Social app version 0.3.1 allowed to read posts of any user...

CVE-2020-8279

Missing validation of server certificates for out-going connections in Nextcloud Social 0.4.0 allowed a man-in-the-middle attack...