CVE-2018-3764

In Nextcloud Contacts before 2.1.2, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or...

CVE-2018-3764

In Nextcloud Contacts before version 2.1.2, a missing sanitization of search results in the autocomplete field can cause a stored XSS. The issue affects group names, so only malicious search results crafted by privileged users (admins/group admins) could trigger the issue. Impact is a stored XSS ...

CVE-2018-3763

Nextcloud Calendar versions prior to 1.5.8 and 1.6.1 contain a stored XSS in the calendar autocomplete search results for group names. The vulnerability arises from missing sanitization of search results, and exploitation is limited to privileged users (admins/group admins) crafting malicious res...

CVE-2018-3762

CVE-2018-3762 affects Nextcloud Server prior to 12.0.8 and 13.0.3, where improper checks of dropped permissions for incoming shares let a user request previews for files they should not access. Root cause: inadequate enforcement of access control on image preview requests. Impact stated in source...

CVE-2018-3761

Nextcloud Server before 12.0.8 and 13.0.3 is affected by an improper authentication flaw at the OAuth2 token endpoint. The root cause is missing checks that could allow issuing new tokens if the OAuth2 client was partly compromised. Public disclosures reference CVE-2018-3761, with vendor advisori...

CVE-2018-3763

In Nextcloud Calendar before 1.5.8 and 1.6.1, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like...

CVE-2018-3762

Nextcloud Server before 12.0.8 and 13.0.3 suffers from improper checks of dropped permissions for incoming shares allowing a user to still request previews for files it should not have access to...

CVE-2018-3761

Nextcloud Server before 12.0.8 and 13.0.3 suffer from improper authentication on the OAuth2 token endpoint. Missing checks potentially allowed handing out new tokens in case the OAuth2 client was partly compromised...

PT-2018-16183 · Nextcloud · Nextcloud Contacts

Name of the Vulnerable Software and Affected Versions: Nextcloud Contacts versions prior to 2.1.2 Description: The issue is related to a missing sanitization of search results for an autocomplete field, which could lead to a stored XSS requiring user-interaction. This missing sanitization only...

PT-2018-16182 · Nextcloud · Nextcloud Calendar

Name of the Vulnerable Software and Affected Versions: Nextcloud Calendar versions prior to 1.5.8 Nextcloud Calendar versions prior to 1.6.1 Description: A stored XSS issue exists due to missing sanitization of search results for an autocomplete field, requiring user-interaction. This issue is...

Nextcloud: Accessing to download.nextcloud.com from original ip adreess | insecure Download

Hi team , Summary I found that when I can access from original ip to the web site ,.This disable Https secure connection. Description First I make DNS Lookup to find the ip adress download.nextcloud.com has address 88.198.160.133 F313820 Now When I open The website from download.nextcloud.com I s...

Nextcloud: Missing X-Content-Type-Options

Nextcloud doesn't have a header settings for X-Content-Type Options which means it is vulnerable to MIME sniffing. The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome...

PT-2018-16181 · Nextcloud +2 · Nextcloud Server +2

Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions prior to 12.0.8 Nextcloud Server versions prior to 13.0.3 Description: The issue arises from improper checks of dropped permissions for incoming shares, allowing a user to request previews for files they should not...

PT-2018-16180 · Nextcloud +2 · Nextcloud Server +2

Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions prior to 12.0.8 Nextcloud Server versions prior to 13.0.3 Description: The issue is related to improper authentication on the OAuth2 token endpoint. It involves missing checks that could potentially allow handing out...

Nextcloud: File access control rules not enforced on image files

Installed Nextcloud from Snap package version 13.0.2snap1, revision 6916 on fresh Ubuntu 18.04 LTS install. 2. Installed and enabled Files access control v1.3.0 and Files automated tagging v1.3.0 apps. 3. As an administrator created an invisible collaborative tag Secret. 4. Added Files automated...

Nextcloud: Disclosed Version of PORTS SSH|HTTP|SSL

I found Version of ports are disclosed ,But the intersting that SSH port is open and showing his version == OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 Ubuntu Linux; protocol 2.0 F:302383 Searching I have found that this version has common vulunrablitie https://vuldb.com/?id.89622 So it's not good to disclos...

MGASA-2018-0226 Updated nextcloud packages fix security vulnerabilities and update version

Mageia 6 brings Nextcloud 11, which is not supported anymore upstream. This update brings version 12 with several security fixes. The database system is now in a separate package, so you will have to choose manually the one you are using...

Updated nextcloud packages fix security vulnerabilities and update version

Mageia 6 brings Nextcloud 11, which is not supported anymore upstream. This update brings version 12 with several security fixes. The database system is now in a separate package, so you will have to choose manually the one you are using...

Nextcloud: Banner Grabbing - Apache Server Version Disclosure

I have found a little information disclosure on your system. Banner Grabbing is a technique used to gain information about a remote server. Additionally, this technique is use to get information about remote servers. I've captured the HTTP request while visiting...

Nextcloud: Click Jacking Nextcloud

Hello Security, Clickjacking User Interface redress attack, UI redress attack, UI redressing is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking contro...