Nextcloud: Remote code execution via path traversal in Zip extraction in the Extract app

I realise this doesn't qualify for a reward, as it's a vulnerability in a third-party app, but as the app is part of the "official" VM image provided by Hansson IT, I think it's well worth fixing. The Extract app doesn't validate the path or filename of a zip file to be extracted, allowing an...