Nextcloud: Remote code execution via path traversal in Zip extraction in the Extract app

I realise this doesn't qualify for a reward, as it's a vulnerability in a third-party app, but as the app is part of the "official" VM image provided by Hansson IT, I think it's well worth fixing. The Extract app doesn't validate the path or filename of a zip file to be extracted, allowing an...

Nextcloud Extract App OS Command Injection Vulnerability

Nextcloud is an open source self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany.Extract App is one of the compressed file extractor. An operating system command injection vulnerability exists in Nextcloud Extract App versions prior to 1.2.0. The...