Nextcloud: Email Notification should be get while changing password on apps.nextcloud.com

Hi, There is an issue with password reset functionality with Nextcloud: user is not receiving notification when he reset password. Issue: user not always gets a notification about password change. When user change his password then a notification is not send to the user. It is good to always send...

Nextcloud: Registered users can change app password permissions for any user

Vulnerable URL http://server/nextcloud/index.php/settings/personal/authtokens/token ID Summary Nextcloud users can create app-specific passwords, also called authtokens, giving an app limited access to their account. Users can grant or deny access to their files for each app password. The functio...

Nextcloud: SQL Injection found in NextCloud Android App Content Provider

Using Drozer, we identified com.nextcloud.client is vulnerable to Sql Injection here is output from drozer: dz run scanner.provider.injection -a com.nextcloud.client Scanning com.nextcloud.client... Not Vulnerable: content://com.nextcloud.android.providers.UsersAndGroupsSearchProvider...

Nextcloud: Broken link for wrong domain entry may be leveraged for Phishing, Misinformation, Serving Malware

Hi Team, Page: https://nextcloud.com/news/16/ Broken link for incorrect DNS entry: It seems like a typo and makes the tld as .comg instead of .com. Now other than usability issue for users, it poses security risk as .comg can be claimed as a gTLD since it is not a reserved TLD Similar to...

openSUSE Security Update : nextcloud (openSUSE-2017-1121)

This update for nextcloud fixes the following issues : - CVE-2017-9286: During upgrade of the nextcloud package local attackers could gain root access via a /tmp file race. boo1036756 %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were...

Nextcloud: NextCloud is also Accepting OCTET-STREAM Type of Documents instead of jpg or Imge Files Only

Summary: I noticed that NextCloud is accepting OCTET-STREAM Type of Files Where you have Background/Logo Upload Option. I Believe that NextCloud is Checking for Such Type of Files but i can upload application/octet-stream Type of Documents by Crafting a Special Type of File In this case i created...

PT-2018-16193 · Nextcloud +1 · Nextcloud Server +1

Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions prior to 12.0.3 Description: The issue allows an attacker with obtained user credentials to bypass 2 Factor Authentication due to improper authentication. Recommendations: For versions prior to 12.0.3, update to...

PT-2018-16194 · Nextcloud +1 · Nextcloud Server +1

Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions prior to 12.0.3 Nextcloud Server versions prior to 11.0.5 Description: The issue is related to an improper input validator, which could allow an attacker's actions to remain unlogged in the audit log. Recommendations...

Nextcloud: WordPress < 4.8.2 vulnerable to multiple attacks

Hello team, Summary: I observed that your website https://nextcloud.com still uses WP less than 4.8.2 which is vulnerable to multiple attacks, i reported it so that the team will be aware of it, below are the new discovered bug that you can find on this release:...

Nextcloud: Banner Grabbing - Apache Server Version Disclousure

Hello Nextcloud, I'd like to report a nice little bug. Banner Grabbing is a technique used to gain information about a remote server. Additionally, this technique is use to get information about remote servers. I've captured the HTTP request while visiting https://customerupdates.nextcloud.com an...

Nextcloud: Nextcloud logs ldap passwords

When the ldap server is temporarily unavailable, data like the attached ends up in log files. I've replaced usernames with XXXUSERnXXX and passwords with XXXPASSnXXX. It seems that at least the following are missing from $methodsWithSensitiveParameters in lib/private/Log.php: - bind -...

Nextcloud: Disabled user can reset their password

Steps: 1 Create user and disable the account 2 Goto reset password and enter disabled user's email address. Password reset link sent and he can reset the password using that link. The point is : Disabled user can still access their account via reset password page. This is a very minor issue...

Nextcloud: Information Exposure Through Directory Listing

Hello. I found open directories on the site https://apps.nextcloud.com, which can be viewed by any unauthorized user. There is an error at https://apps.nextcloud.com/static/. F212856 All directories and files in them, starting with /static/ can be viewed or downloaded with all the content. Perhap...

Nextcloud: Access to all files of remote user through shared file

Steps to reproduce 1. User A shares a file "movie.mp4" with user B. 2. User B uses webdav to access files e.g. foldersync or nautilus 3. share is shown as regular file using webdav. 4. Copy the file and paste it to the same folder still using webdav. 5. A new folder will appear with the name...

Nextcloud: WebDAV Empty Property search leads to full CPU usage

Tested with the following versions: - owncloud:10.0 - nextcloud:12.0 with mariadb in place. A PROFIND nextcloud/remote.php/webdav/ with xml as body causes full CPU utilization of one Apache worker process. in curl form: curl -i --user testuser:testpass -X PROPFIND -d ''...

Nextcloud: bypass of 2FA

Improper protection of the 2FA login made a bypass of the 2FA possible. The bug required to know user credentials but effectively rendered the 2FA ineffective. The issue has been fixed by the Nextcloud team and has been validated by the reporter...

Nextcloud: Password of failed (2FA) login attempt is stored in log

If I try to log in on Webdav with my usual Nextcloud password, it doesn't work due to 2FA. I need an application password. The password of a failed login attempt by any user is stored plain text in the log: ...OCA\\DAV\\Connector\\Sabre\\Auth-validateUserPass'matthes', 'THEPASSWORD'... Even...

Nextcloud: Android content provider exposes password-protected share password hashes

Summary Nextcloud Android client v1.4.3 has a globally available content provider which exposes the bcrypt password hashes for password protected shared files and folders. Description Android apps can use a content provider to handle storage and retrieval of data. Content providers that are...

Nextcloud: ci.nextcloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)

Hello Team NextCloud, In reference report 217381 I've reported the DDOS attack via DNS Port at OwnCloud.. And it was successfully patched. But now same issue I got at ci.nextcloud.com Proof Of Concept: Here it is the nmap result of ci.nextcloud.com NMap Scan Results: Starting Nmap 7.40...

Nextcloud: Unauthenticated 'display name' information leak on enumeration of login names

I reported this last week through email, but I didn't receive any response so that is why I report this once more. - This is probably not considered as a real security vulnerability, but my customers would like to see this fixed, therefore I report it. Problem: It is possible to get a users...