Nextcloud: **minor issue ** -Nextcloud 10.0 session issue with desktop client and android client

Scenario: -- Installed nextcloud 10.0 locally and created "admin" account -- Installed nextcloud desktop client and andoid client I found session related vulnerability in nextcloud 10.0 where killing session in Useradmin -- Personal -- Sessions not actually killing sessions in desktop client Step...

Nextcloud: Nextcloud 10.0 privilege escalation issue - Normal user can mask external storage shared by admin

Normal userNon-privileged can mask external storage shared by admin. Scenario : Created three users "admin", "attacker", "victim" Created group "samplegroup" containing all the three users with "victim" as group admin Steps: 1 User "admin" created external storage named "localstrg"note: name is t...

Nextcloud: Reflected Self-XSS Vulnerability in the Comment section of Files (Different-payloads)

Note::steps mentioned in report164027 In the Comments Box,the payload to execute XSS is passed. Test Payloads: alert1 Also the above payload is still working.. Also try this payload " fooalert1 Click edit comment after posted. XSS Triggers...

Nextcloud: Reflected Self-XSS Vulnerability in the Comment section of Files Information

Vulnerability Found In the test domain: demo.nextcloud.com Vulnerability Type : Reflected XSS STEPS TO REPRODUCE: STEP 1: Login to demo nextcloud server site using test credentials.demo.nextcloud.com STEP 2: On the All Files Tab ,Select Any File. STEP 3: A tab opens on the Right Hand side of the...

Nextcloud: Slow Http attack on nextcloud(DOS)

@drosera has reported a slow HTTP attack on nextcloud.com leading to DoS. We've meanwhile mitigated the issue. On request of the reporter, this issue is only disclosed limitedly...

Nextcloud: Wordpress: Directory Traversal / Denial of Serivce

Hello Security team, While testing nextcloud.com i have found that you are not using the lastest version of wordpress you are using old version 4.5.3 which is vulnerable to Directory Traversal / Denial of Serivce Description : A path traversal vulnerability was found in the Core Ajax handlers of...

Nextcloud: Expired SSL certificate

I would like to inform you that the SSL certificate for www.nextcloud.org is expired at: 24. August 2016 15:03 Thanks...

Nextcloud: \OCA\DAV\CardDAV\ImageExportPlugin allows serving arbitrary data with user-defined or empty mimetype

The SabreDAV plugin \OCA\DAV\CardDAV\ImageExportPlugin is used for displaying pictures of a VCF. It registers on a GET request on a CardDAV element and acts when the query parameter photo is sent. The logic can be seen below: / Intercepts GET requests on addressbook urls ending with ?photo. @para...

Nextcloud: Information Disclosure of .htaccess file in Private Server/Subdomain

@ahsantahir reported a missing permission check on an internal service allowing the extraction of the .htaccess file. We've fixed this by adjusting the Apache configuration and putting Basic Auth in front of the page. On request of the reporter this is disclosed limitedly. Non-Critical, small...

Nextcloud: Password Reset Link issue

Hello, i found out about an issue in your password reset links and their expiration Steps to reproduce: Request a password reset link to an account Login to the account afterwards Logout and use the link to reset the password The link would not be expired Now i know that the links need to expire...

Nextcloud: Content Injection - demo.nextcloud.com

Hi there, Similar as report 161299 , but in this case it's possible to inject the 403 Forbidden page. URL: https://demo.nextcloud.com/.htacess%20Content%20Injection%20test Thanks!...

Nextcloud: Content Injection - apps.nextcloud.com

Hi there, The following URL: https://apps.nextcloud.com/.htacess%20Content%20Injection%20test is vulnerable to Content Injection. Reference: https://www.owasp.org/index.php/ContentSpoofing You should use a 403 Forbidden page. If you need further information, let me know. Thanks!...

Nextcloud: XSS on IOS app via HTML rendering

@bugdiscloseguys reported an issue to us leading to a stored XSS attack on the iOS app. To be exploitable the victim would have to open a malicious file shared by an adversary with the user. On request of the reporter, this issue is only disclosed limitedly. While we usually don't agree to disclo...

Nextcloud: demo.nextcloud.com: Content spoofing due to default Apache Error Page

Hello there , your site is vulnerable to phishing the users by this vulnerability. proof of concept...

Nextcloud: Arbitrary File Upload in Logo & Log in image Theming setting.

Hi team First I think this vulnerability doesn't fall at your bug bounty program but this is a bad design that should fix right now cause if an attacker get admin access he still can upload a malicious file in client server side. I saw that Logo & Log in image allow to upload other files type...

Nextcloud: demo.nextcloud.com: Content spoofing due to default Apache Error Page

Hi ,I would like to report report a text injection and a miss-configuration of the 403 page which can be used in phishing. POC:...

Nextcloud: More content spoofing through dir param in the files app

Hi! It's still possible to use an invalid dir param to spoof messages in the directory breadcrumbs area. For example, you can use URL-encoded periods to bypass the directory traversal prevention. By referencing a path that returns a 301, you can add a message in the dir param F108266:...

Nextcloud: Bookmarks: Delete all existing bookmarks of a user

A logical bug in the bookmark app makes it possible to delete all the existing bookmarks of the user. Here are the steps to reproduce: - Create couple of valid bookmarks - Import a bookmark.html file that contains the line Bookmark. All the bookmarks of the user is replaced with blank url and...

Nextcloud: IDOR - Disable sharing

Decription: ----- Users are shared files or folder. can disable this sharing. Detail: ------ + use request: DELETE /nextcloud/ocs/v2.php/apps/filessharing/api/v1/shares/share-id?format=json HTTP/1.1 Host: your-host User-Agent: Mozilla/5.0 Windows NT 10.0; WOW64; rv:47.0 Gecko/20100101 Firefox/47....

Nextcloud: xss for admin of https://newsletter.nextcloud.com

a site https://newsletter.nextcloud.com to have phplist 3.2.5 steps to reproduce: 1. to use firefox browser, latest version 2. go to https://newsletter.nextcloud.com/admin/?page=viewtemplate&id=123%22%3E%3Cscript%3Ealertdocument.domain%3C/script%3E 3. log in as admin 4. alert box with name of...