CVE-2018-16466

Improper revalidation of permissions in Nextcloud Server prior to 14.0.0, 13.0.6 and 12.0.11 lead to not accepting access restrictions by acess tokens...

CVE-2018-16465

Missing state in Nextcloud Server prior to 14.0.0 would not enforce the use of a second factor at login if the the provider of the second factor failed to load...

CVE-2018-16467

A missing check in Nextcloud Server prior to 14.0.0 could give unauthorized access to the previews of single file password protected shares...

CVE-2018-16464

A missing access check in Nextcloud Server prior to 14.0.0 could lead to continued access to password protected link shares when the owner had changed the password...

CVE-2018-16465

Missing state in Nextcloud Server prior to 14.0.0 would not enforce the use of a second factor at login if the the provider of the second factor failed to load...

CVE-2018-16464

A missing access check in Nextcloud Server prior to 14.0.0 could lead to continued access to password protected link shares when the owner had changed the password...

CVE-2018-16465

Missing state in Nextcloud Server prior to 14.0.0 would not enforce the use of a second factor at login if the the provider of the second factor failed to load...

CVE-2018-16467

A missing check in Nextcloud Server prior to 14.0.0 could give unauthorized access to the previews of single file password protected shares...

CVE-2018-16466

CVE-2018-16466 affects Nextcloud Server prior to 14.0.0, 13.0.6, and 12.0.11. The root cause is improper revalidation of permissions, which can cause access restrictions to be bypassed via access tokens. The issue is documented in NC-SA-2018-010 (vendor fix). Affected versions include Nextcloud S...

CVE-2018-16463

CVE-2018-16463 describes a session-fixation bug in Nextcloud Server, affecting versions prior to 14.0.0, 13.0.3, and 12.0.8, which could allow an attacker to access password-protected shares. Core details provided indicate a vulnerability in Nextcloud Server’s session handling, with the public Ne...

CVE-2018-16466

Improper revalidation of permissions in Nextcloud Server prior to 14.0.0, 13.0.6 and 12.0.11 lead to not accepting access restrictions by acess tokens...

CVE-2018-16464

CVE-2018-16464 affects Nextcloud Server prior to 14.0.0. A missing access check could allow continued access to password-protected link shares after the owner changes the password, enabling unauthorized access to shared resources. Remediation: upgrade to Nextcloud Server 14.0.0 or apply vendor ad...

CVE-2018-16465

Nextcloud Server is affected when used with versions prior to 14.0.0. The issue is a missing state that would have enforced a second factor at login if the 2FA provider failed to load, effectively allowing a 2FA bypass under certain conditions. This vulnerability is described in advisories NC-SA-...

CVE-2018-16463

A bug causing session fixation in Nextcloud Server prior to 14.0.0, 13.0.3 and 12.0.8 could potentially allow an attacker to obtain access to password protected shares...

CVE-2018-16467

CVE-2018-16467 (Nextcloud Server before 14.0.0) is an improper access‑control vulnerability enabling unauthenticated attackers to bypass password protection for previews of single-file shares via the vulnerable publicpreview.php endpoint. The issue can disclose previews (notably image files) with...

Nextcloud: https://help.nextcloud.com::: Web cache poisoning attack

Hi there, I just found the website: https://help.nextcloud.com is infected with "Web cache poisoning" Abuse this bug, Attacker can: 1. Poison your cache with HTTP header with XSS included. This attack may leads to Stored XSS 2. Poison your website contains malware url cache poisoned by attacker,...

Nextcloud: Gallery: No feedback for invalid password

CVSS ---- Low 3.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N Description ----------- The Gallery plugin does not inform a user when password-protecting a file failed in combination with the Password Policy plugin. Because of this, files that the user will rightfully assume to be...

Nextcloud: Talk / spreed: Disclosure of Room names and participants for password protected rooms

CVSS ---- 5.3 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS isn't always as fine-grained as I'd like; personally, I would rate the issue somewhere between low and medium Description ----------- The API of the official spreed/talk extension reveals potentially sensitive information such...

Nextcloud: Server-Side request forgery in New-Subscription feature of the calendar app

CVSS ---- 8.5 High CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N Description ----------- The "New Subscription" functionality of the official Calendar app allows authenticated users to direct the server to perform arbitrary external requests, and then displays the full response to the user. The...

Updated nextcloud packages fix security vulnerability

Nextcloud has been updated to 13.0.6 and fixes at least the following security issue: A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could...