CVE-2018-3780

CVE-2018-3780 detail (normal mode): Nextcloud’s autocomplete search results may expose a stored XSS due to missing sanitization in the autocomplete field. The flaw affects Nextcloud Server releases around 13.x (notably 13.0.5 and related updates) and can be triggered by crafted search results con...

CVE-2018-3781

Nextcloud Talk

Nextcloud Server Authorization Issues Vulnerability

Nextcloud is a client-server software suite for creating network hard disks. An authorization issue vulnerability exists in versions of Nextcloud Server prior to 12.0.3, which can be exploited by an attacker to obtain user credentials and bypass two-factor authentication...

Nextcloud Server Improper Input Validation Vulnerability

Nextcloud is an open source self-hosted file synchronization and sharing communication application platform from Nextcloud Germany.Nextcloud Server is one of the server version. An input validation vulnerability exists in Nextcloud Server versions prior to 12.0.3 and 11.0.5, which can be exploite...

CVE-2018-3776

Improper input validator in Nextcloud Server prior to 12.0.3 and 11.0.5 could lead to an attacker's actions not being logged in the audit log...

Authentication flaw

Improper Authentication in Nextcloud Server prior to version 12.0.3 would allow an attacker that obtained user credentials to bypass the 2 Factor Authentication...

Input validation

Improper input validator in Nextcloud Server prior to 12.0.3 and 11.0.5 could lead to an attacker's actions not being logged in the audit log...

CVE-2018-3775

Improper Authentication in Nextcloud Server prior to version 12.0.3 would allow an attacker that obtained user credentials to bypass the 2 Factor Authentication...

CVE-2018-3776

Improper input validator in Nextcloud Server prior to 12.0.3 and 11.0.5 could lead to an attacker's actions not being logged in the audit log...

CVE-2018-3776

Improper input validator in Nextcloud Server prior to 12.0.3 and 11.0.5 could lead to an attacker's actions not being logged in the audit log...

CVE-2018-3775

Improper Authentication in Nextcloud Server prior to version 12.0.3 would allow an attacker that obtained user credentials to bypass the 2 Factor Authentication...

CVE-2018-3775

Improper Authentication in Nextcloud Server prior to version 12.0.3 would allow an attacker that obtained user credentials to bypass the 2 Factor Authentication...

CVE-2018-3776

Improper input validator in Nextcloud Server prior to 12.0.3 and 11.0.5 could lead to an attacker's actions not being logged in the audit log...

CVE-2018-3776

CVE-2018-3776 affects Nextcloud Server; an improper input validator in affected versions prior to 12.0.3 and 11.0.5 could allow an attacker’s actions to bypass audit-logging. The vulnerability is documented across multiple sources (including Red Hat and OpenVAS feeds) and is described as a loggin...

CVE-2018-3775

CVE-2018-3775 concerns Nextcloud Server prior to version 12.0.3, where an attacker with valid user credentials could bypass two‑factor authentication due to improper authentication. The NVD entry lists CVSSv3.1 impact as high (C/H/I/H/A/H) and CVSSv2 as medium (I/P, no confidentiality/availabilit...

Nextcloud: Self xss

Hello, I found self xss your main domain. I m sending details and I attached poc video. Pls open https://nextcloud.com/about/ Use burp suite and active intercept. Refresh this url. And pls add this payload your url. "alert205'"nextcloud.com Pls click intercept off and page refreshing. Now you see...

Nextcloud: Access control issue -- [Allow file system access not validated when using session auth]

Obtain an App Token 2. Check that you can access the files with this token and save the cookies 3. Revoke filesystem access for this token 4. See that you can still access the files when using the cookies At step 4 there access to the files should also be forbidden...

Nextcloud: Missing SPF flags for customerupdates.nextcloud.com

Hey, I just checked for SPF records for the customerupdates.nextcloud.com domain, and there are none. The fake message reaches the inbox from this domain. Not spam. You can validate by testing yourself here: http://www.kitterman.com/spf/validate.html This subdomain too: update.nextcloud.com Impac...

Nextcloud: HTML injection with AutoComplete suggestions

As user1 set your displayname to Name 2. As user2 autocomplete the name in the comments input or Talk chat input 3. Click on the user name you just autocompleted User2 is redirected to https://nextcloud.com Only works with HTML, not with script Impact User1 can trick user2 to render any html...

openSUSE Security Update : nextcloud (openSUSE-2018-712)

This update for nextcloud fixes the following issues : Security issues fixed : - CVE-2018-3761: Fix improper authentication on the OAuth2 token endpoint bsc1100344. - CVE-2018-3762: Fix improper checks of dropped permissions for incoming shares allowing a user to still request previews for files ...