PT-2020-20041 · Nextcloud +1 · Nextcloud Desktop Client +1

Name of the Vulnerable Software and Affected Versions: Nextcloud Desktop Client version 2.6.4 Description: A memory leak in the OCUtil.dll library can lead to a Denial of Service DoS against the host system. Recommendations: For Nextcloud Desktop Client version 2.6.4, at the moment, there is no...

PT-2020-20036 · Openssl +2 · Openssl +2

Name of the Vulnerable Software and Affected Versions: Nextcloud Desktop Client version 2.6.4 Description: A code injection issue in the Nextcloud Desktop Client allowed the loading of arbitrary code when a malicious OpenSSL configuration was placed in a fixed directory. Recommendations: For...

Nextcloud Preferred Providers app denial of service vulnerability

Nextcloud Preferred Providers app is an application for logging into Nextcloud by Nextcloud Germany. A security vulnerability exists in the Nextcloud Preferred Providers app prior to version 1.7.0 that stems from the program failing to properly validate user input. An attacker could exploit the...

Nextcloud: Possible denial of service when entering a loooong password

You can create a very long password until you get the last user to put and aries or DoS. Normally passwords have 8-10-24 digits. By sending a very long password 1.000.000 characters Usually this problem is caused by a vulnerable password hashing implementation. When a long password is sent, the...

Nextcloud: DoS attack against the client when entering a long password

Hi team, My report like this 840598 entering a long password the denial a service attack on the server please fix it .. Step .. 1. Create account on https://nextcloud.com/signup/ 2. enter password any password and login . 3. after you login go to your settings . 4. go to here...

CVE-2020-8202

Improper check of inputs in Nextcloud Preferred Providers app v1.6.0 allowed to perform a denial of service attack when using a very long password...

CVE-2020-8202

Improper check of inputs in Nextcloud Preferred Providers app v1.6.0 allowed to perform a denial of service attack when using a very long password...

Input validation

Improper check of inputs in Nextcloud Preferred Providers app v1.6.0 allowed to perform a denial of service attack when using a very long password...

CVE-2020-8202

CVE-2020-8202 affects the Nextcloud Preferred Providers app (v1.6.0) due to improper input validation, allowing a denial-of-service when a very long password is entered. Root cause: input validation failure in the app. Impact: server DoS and potential unavailability. Mitigation: upgrade to 1.7.0 ...

CVE-2020-8202

Improper check of inputs in Nextcloud Preferred Providers app v1.6.0 allowed to perform a denial of service attack when using a very long password...

Nextcloud: Formula Injection vulnerability in CSV export feature

Dear Nextcloud Team – I have identified a formula injection vulnerability 12 in the CSV export feature of the Forms App. I am aware that the Forms app is not part of this bug bounty program but was advised to disclose it via hackerone anyway. Description. When a n Excel-/Calc- formula is sent as...

Re-Sharing allows increase of privileges (NC-SA-2020-029)

A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to reshare with higher permissions than they got assigned themselves...

Nextcloud: PIN for passwordless WebAuthn is asked for but not verified

Nextcloud introduced WebAuthn passwordless authentication with version 19. As far as we understand, you assume that your implementation provide two-factor authentication: "The server asking for authentication can request verification of multiple factors, so that a configured key requires the user...

Access control missing while viewing the attachments in the 'All boards' (NC-SA-2020-036)

Missing access control in Nextcloud Deck 1.0.4 caused an insecure direct object reference allowing an attacker to view all attachments...

Nextcloud: No rate limiting on sinup page

Hi Team, Summary: As a best practice a login page should have a rate limiting. Below is the captured request of respective login page of nextcloud.com -------------------------------------------------------------------------------------------------------------------- POST...

Nextcloud Contacts Code Issue Vulnerability

Nextcloud is an open source, self-hosted file synchronization and sharing communication application platform from Nextcloud Germany.Nextcloud Contacts is one of the contact information synchronization and editing applications. A security vulnerability in Nextcloud Contacts version 3.2.0 exists du...

Nextcloud: Improper access control to messages of Social app

The Social App https://apps.nextcloud.com/apps/social lacks access controls in the displayPost function /@username/token allowing an unauthenticated user to view any message content by knowing or guessing the message ID. The vulnerable code is at...

CVE-2020-8181

A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars...

CVE-2020-8181

A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars...

Design/Logic Flaw

A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars...