Improper permission preservation on reshares (NC-SA-2020-012)

Improper permissions preservation in Nextcloud Server 16.0.1 causes sharees to be able to reshare with write permissions when sharing the mount point of a share they received, as a public link...

Nextcloud: CSRF vulnerability that allows an attacker to modify encryption settings

The POST request to /ocs/v2.php/apps/provisioningapi/api/v1/config/apps/core/encryptionenabled is missing a unique token, so that if an attack can trick an admin user with an active session to visit an attacker controlled website, he/she can control the core application setting "encryptionenabled...

User IDs and Nextcloud server leaked to Nextcloud Lookup server with disabled settings (NC-SA-2019-016)

Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled...

Nextcloud: Wordpress Users Disclosure

Information Using REST API, we can see all the WordPress users/author with some of their information. Step to Reproduce You can get user info by entering below url in your browser: https://nextcloud.com/wp-json/wp/v2/users Reference: 356047 Impact Authors : LTR , LTREditor can be created scenario...

Nextcloud: Arbitrary code execution in desktop client via OpenSSL config

Summary: The nextcloud windows desktop application utilizes a precompiled OpenSSL library called libeay32.dll. This OpenSSL library attempts to load c:\usr\local\ssl\openssl.cnf when the nextcloud windows application is launched. The c:\usr\local\ssl\openssl.cnf file does not exist. By default, o...

Nextcloud: User with read-only access to a share can gain write access to sub-folders in the share

user0 creates folders /test and /test/sub user0 creates file /test/sub/file.txt user0 shares folder /test with user1 with read+share permissions 17 user1 receives the folder /test and can read-download /test/sub/file.txt - good user1 creates a link share of /test/sub - it has permissions 1...

Nextcloud: Reflected XSS / Markup Injection in `index.php/svg/core/logo/logo` parameter `color`

I just found a reflected Cross-Site Scripting XSS vulnerability in Nextcloud Server that affects current stable and dates back to at least 15.0.5. The vulnerability seems mitigated by a Content-Security-Policy CSP, but there might be a residual risk for phishing, due to the CSP's lack of a...

Nextcloud Extract App OS Command Injection Vulnerability

Nextcloud is an open source self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany.Extract App is one of the compressed file extractor. An operating system command injection vulnerability exists in Nextcloud Extract App versions prior to 1.2.0. The...

Extract add-on for Nextcloud OS Command Injection Vulnerability

Extract add-on for Nextcloud is a set of component applications for Netcloud. An input validation vulnerability exists in Extract add-on for Nextcloud lib/Controller/ExtractionController.php, which allows remote attackers to submit a special request that can be used to execute arbitrary OS comman...

CVE-2019-12739

lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution via shell metacharacters in a RAR filename via ajax/extractRar.php nameOfFile and directory parameters...

CVE-2019-12739

lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution via shell metacharacters in a RAR filename via ajax/extractRar.php nameOfFile and directory parameters...

Remote code execution

lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution via shell metacharacters in a RAR filename via ajax/extractRar.php nameOfFile and directory parameters...

CVE-2019-12739

lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution via shell metacharacters in a RAR filename via ajax/extractRar.php nameOfFile and directory parameters...

CVE-2019-12739

The CVE-2019-12739 entry concerns the Nextcloud Extract add-on: lib/Controller/ExtractionController.php vulnerable before version 1.2.0. It allows Remote Code Execution via shell metacharacters in a RAR filename passed through ajax/extractRar.php (nameOfFile and directory parameters). Affected co...

Nextcloud: Non-admin users can trigger writes to memcached by entering a malicious server as a share URL

Dangling remote share attempts in Nextcloud 16 allow a DNS pollution when running long...

Nextcloud: Linux client is vulnerable to directory traversal when downloading files

Summary The Nextcloud Linux client is vulnerable to directory traversal when downloading files from a Nextcloud server. A malicious Nextcloud administrator can exploit the vulnerability to write arbitrary files to a user computers with the potential for remote command execution under certain...

Nextcloud: Memory Leak in OCUtil.dll library in Desktop client can lead to DoS

The function IsChildFileconst wchart rootFolder, const wchart file in FileUtil.cpp allocates memory on line 42 and fails to free it. The following PoC code can provide evidence. The code and the PoC executable is attached to this report. Also OCUtils.dll and OCUtilsx64.dll library which is...

Nextcloud: Vulnerable W3 Total Cache plugin version in use on nextcloud.com

Hi there, I noticed you are currently using a vulnerable version of W3 Total Cache, as the changelog containing the plugin version is publicly reachable: https://nextcloud.com/wp-content/plugins/w3-total-cache/changelog.txt W3 Total Cache makes the site vulnerable to a series of attacks, includin...

Nextcloud: Blind Stored XSS on iOS App due to Unsanitized Webview

Hi Team! I found a Blind XSS can executed on iOS App due to unsanitized webview. Using this issue, attacker can extract information from victim. Steps To Reproduce: 1. Upload malicious HTML, share to victim 2. Waiting victim to open it F487447 F487448 HTML payload attached, don't forget to change...

Nextcloud: W3 Total Cache plugin multiple vulnerabilities

W3 Total Cache plugin version = 0.9.4.1 on the https://nextcloud.com has multiple vulnerabilities. See the screenshot.png Impact Remote Command Execution, Unauthenticated Security Token Bypass, Unauthenticated Arbitrary File Read etc...