Nextcloud: External Storage - WebDAV - New user has access to storage from deleted user (same user-ID)

Delete existing user account "user3" Create new user account "user3" Also reported on https://github.com/nextcloud/server/issues/15258 Impact Newly created user with same user-id of a deleted user has access to the configured external webdav storage from the deleted user...

Nextcloud: Remote Code Execution via Extract App Plugin

Hi, I found a critical issue in the Add-on "Extract" listed in the Nextcloud Marketplace: https://apps.nextcloud.com/apps/extract This extension can be installed directly from Nextcloud Application The vulnerability was found in file: extract/lib/Controller/ExtractionController.php line 102. The...

Nextcloud: Combination of content provider allows private data disclosure

Good afternoon. Sorry, its me again .. I use NC on a daily basis so I often makes some checks .. As per 489105, document thumbnail shall not be disclosed. The exposure on thumbnailCache/ is an already know issue. However, malicious apps are still able to extract at least pictures and text files b...

Nextcloud: In Dockerized Environments, Failing to Read config.php Grants Any Anonymous User Full Admin Access

Consider this deployment: - Nextcloud is already installed in a Dockerized environment. - There are two Nextcloud containers running in the environment. - Both containers share the same MySQL database. - Both containers share the same data /var/www/html/data and config /var/www/html/config via...

2FA sessions not properly expired on password change (NC-SA-2020-001)

A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset...

Nextcloud: SQLi allow query restriction bypass on exposed FileContentProvider

FileContentProvider is an exposed provider As per its definition on https://github.com/nextcloud/android/blob/master/src/main/java/com/owncloud/android/providers/FileContentProvider.java, limited set of data shall be exposed as per @l444 switch mUriMatcher.matchuri case ROOTDIRECTORY: case...

openSUSE Security Update : nextcloud (openSUSE-2019-655)

This update for nextcloud fixes security issues and bugs. Security issues fixed : - CVE-2018-3780: Stored XSS in autocomplete suggestions for file comments boo1114817 This update also contains all bug fixes and improvements in the 13.0.8 version, including : - Password expiration time changed fro...

openSUSE Security Update : nextcloud (openSUSE-2019-640)

This update for nextcloud to version 13.0.5 fixes the following issues : Security issues fixed : - CVE-2018-3780: Fixed a missing sanitization of search results for an autocomplete field that could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names,...

openSUSE Security Update : nextcloud (openSUSE-2019-511)

This update for nextcloud fixes the following issues : Security issues fixed : - CVE-2018-3761: Fix improper authentication on the OAuth2 token endpoint bsc1100344. - CVE-2018-3762: Fix improper checks of dropped permissions for incoming shares allowing a user to still request previews for files ...

Nextcloud: [Reflected XSS] In Request URL

In index.php file on 1765 we can see XSS: " Because NextCloud allow links like: '/index.php/ANYCONTENT' If we will do request like: POST /updater/index.php/h"alert1; HTTP/1.1 Host: vulns.local Content-Type: application/x-www-form-urlencoded Content-Length: 33 updater-secret-input=OURSECRET We wil...

Reflected XSS in redirect of the Updater (NC-SA-2020-007)

Missing escaping of HTML in the Updater of Nextcloud 15.0.5 allowed a reflected XSS when starting the updater from a malicious location...

Nextcloud: Missing DNSSEC

The nextcloud.com domain does not have DNSSEC enabled...

Nextcloud: Group admins can remove arbitrary data from "data" directory (including admin data)

Steps to reproduce: 1. Create a new user and make him an admin of an arbitrary group 2. Log in as this new user 3. Create a new user "filesexternal", "appdatarandom-data", .. 4. Delete this user Result: The data/filesexternal / data/appdata.. folder is removed. Solution: Prevent creation of users...

Nextcloud: Nextcloud domain and name of every user leaked to lookup server

Steps to reproduce: 0. Install and set up Nextcloud, optional: create a few random users 1. Apply the following patch to a standard Nextcloud server: patch diff --git a/settings/BackgroundJobs/VerifyUserData.php b/settings/BackgroundJobs/VerifyUserData.php index 56ebadff9c..76ed8b5ed3 100644 ---...

Nextcloud: Arbitrary SQL command injection

When querying for users on the lookup server any unauthenticated user could perform an SQL Injection...

Nextcloud: Able to bypass "Device credentials" Lock

Prepare 1. Enable "Device credentials" lock via the settings. I'm using fingerprint in my case 2. Test if this works by closing the app and open it again. 3. If this works close the app again, do a force close to make sure the application is closed. The next steps need to be done quickly right...

Nextcloud: Uploading large avatar images cause excessive CPU usage

How to reproduce: - Create an account on any server running Nextcloud 13 or 14. - Open the personal settings. - Upload a large image as avatar tested with a 4032x3024 PNG image of about 14.5 MB. - Keep the selected area in the popup and save the avatar. - Notice that the avatar area shows the...

Nextcloud: User Editable nextcloud Wiki pages of Public Repositories

Summary : I have found that the "Edit" Permissions of WIKI pages are NOT disabled on the public repositories of nextcloud. Generally Edit permissions are given only to the collaborators of a specific repository. but that is not the case with Nextcloud, It is public editable which isn't right in...

Nextcloud: XSS On Nextcloud Integrated with zimbra drive

Hello Team, There is an stored xss on Nextcloud plugin with Zimbra Drive. I integrate zimbra with nextcloud 13 zimbra drive 0.8.20. Please see attached file and I am waiting for your response. Best regards Impact Get sensitive data...

Nextcloud: Bypassing lock protection

Nextcloud allows multi account within the android client app and relies on a single lock Based on the exposed intent nc://login, it is possible to add a new account under attacker domain and open the Nextcloud without the lock check. Proof of concept 1. open the NC app with the lock displayed 2...