CVE-2020-8118

CVE-2020-8118 describes an authenticated server-side request forgery (SSRF) in Nextcloud Server 16.0.1 . The vulnerability exists in the calendar application’s “add new subscription” workflow and permits an attacker to detect local and remote services. The connected documents consistently identif...

CVE-2019-15621

Nextcloud Server 16.0.1 is affected by CVE-2019-15621: an improper permissions preservation enables sharees to reshare with write permissions when sharing the mount point of a received share via a public link. Root cause is a permissions preservation flaw in the sharing flow; exploitation details...

CVE-2019-15613

CVE-2019-15613 affects Nextcloud Server 17.0.1, where a bug causes workflow rules to depend on the file extension when checking MIME types. This can impact all three security properties (confidentiality, integrity, availability) per CVSS metrics (NVD: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H; base sco...

CVE-2020-8119

CVE-2020-8119 affects Nextcloud Server 17.0.0 and is described as improper authorization that leaks previews and files when a file-drop share link is opened via the gallery app. The connected updates show this vulnerability being addressed in Nextcloud-related security updates (e.g., openSUSE/SUS...

CVE-2019-15616

CVE-2019-15616 affects Nextcloud Server (notably Nextcloud Server 16) where dangling remote share attempts can cause DNS pollution when the system runs for extended periods. Public sources describe the vulnerability as a DNS pollution condition resulting from improper handling of remote shares. T...

CVE-2020-8118

An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and remote services when adding a new subscription in the calendar application...

CVE-2020-8119

Improper authorization in Nextcloud server 17.0.0 causes leaking of previews and files when a file-drop share link is opened via the gallery app...

CVE-2020-8120

CVE-2020-8120 describes a reflected XSS in Nextcloud Server 16.0.1 related to SVG logo generation. The issue affects the SVG rendering path (logo) via user-controllable inputs and has a CVSS v3.1 base score of 6.1 (MEDIUM). Public references (NVD/CVE records and Nextcloud advisory) confirm the vu...

CVE-2019-15619

Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project...

CVE-2019-15611

Violation of Secure Design Principles in the iOS App 2.23.0 causes the app to leak its login and token to other Nextcloud services when search e.g. for federated users or registering for push notifications...

CVE-2019-15622

Not strictly enough sanitization in the Nextcloud Android app 3.6.0 allowed an attacker to get content information from protected tables when using custom queries...

CVE-2020-8122

CVE-2020-8122 affects Nextcloud Server 14.0.3, where a missing authorization check on share expiration updates lets a recipient extend the expiration date of a share they received. The root cause is an inadequate validation of the requester as the owner when modifying a share’s expiration. This v...

CVE-2019-15617

A missing check in Nextcloud Server 17.0.0 allowed an attacker to set up a new second factor when trying to login...

CVE-2019-15616

Dangling remote share attempts in Nextcloud 16 allow a DNS pollution when running long...

CVE-2019-15624

Improper Input Validation in Nextcloud Server 15.0.7 allows group admins to create users with IDs of system folders...

CVE-2019-15613

A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend their behaviour on the file extension when checking file mimetypes...

CVE-2020-8120

A reflected Cross-Site Scripting vulnerability in Nextcloud Server 16.0.1 was discovered in the svg generation...

CVE-2020-8121

Nextcloud Server 14.0.4 contains a bug where data could be exposed via reshared link shares beyond what the sharer intended. Evidence from multiple sources shows this could allow access to extended data in reshared links, including expired reshared links that still grant access to the full folder...

CVE-2019-15623

Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled...

CVE-2019-15620

CVE-2019-15620 describes an improper access control vulnerability in Nextcloud Talk 6.0.3 where the existence and names of private conversations can be leaked when those conversations are linked to another shared item via the Projects feature. Affected component is Nextcloud Talk (Spreed) 6.0.3. ...