4993 matches found
CVE-2019-5454
Summary: CVE-2019-5454 corresponds to an SQL injection in the Nextcloud Android app (pre-3.0.0) affecting the app’s internal content provider and local cache. The vulnerability allows manipulation of SQL queries via harmed inputs to the provider, which can destroy the local cache and force users ...
CVE-2019-5455
Bypassing lock protection exists in Nextcloud Android app 3.6.0 when creating a multi-account and aborting the process...
CVE-2019-5455
CVE-2019-5455 affects the Nextcloud Android app (v3.6.0). The issue allows bypassing the device lock protection during multi-account creation/abort, enabling the attacker to redirect to a default account without prompting for the lock pattern. Evidence includes a PoC described in the HackerOne re...
PT-2019-17683 · Nextcloud · Nextcloud Android App
Name of the Vulnerable Software and Affected Versions: Nextcloud Android app versions prior to 3.0.0 Description: The issue allows for the destruction of a local cache when a harmful query is executed, requiring the user to reset up the account. This occurs due to SQL Injection in the Nextcloud...
PT-2019-17684 · Nextcloud · Nextcloud Android App
Name of the Vulnerable Software and Affected Versions: Nextcloud Android app version 3.6.0 Description: The issue allows bypassing lock protection when creating a multi-account and aborting the process in the Nextcloud Android app. Recommendations: For Nextcloud Android app version 3.6.0, update ...
Name of private conversations leaked when linked via projects to a shared item (NC-SA-2020-011)
Improper access control in Nextcloud Talk 6.0.3 leaks the existance and the name of private conversations when linked them to another shared item via the projects feature...
Improper neutralization of item names in projects feature (NC-SA-2020-010)
Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project...
Improper neutralization of item names in projects feature (NC-SA-2020-008)
Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project...
Improper neutralization of item names in projects feature (NC-SA-2020-009)
Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project...
Nextcloud: Talk - Leak of password-protected room name via already existent resource addition
CVSS ---- Medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Description ----------- Affected: Talk / Spreed 6.0.3 The name of shared but password-protected rooms leaks to low-privileged authenticated users. An attacker does not need to guess room IDs, but can simply iterate over IDs to gath...
Nextcloud: Persistent XSS via filename in projects
CVSS ---- Medium 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Description ----------- Affected: Talk / Spreed 6.0.3 The name of a file is echoed without encoding when moving the mouse onto it in the projects tab of a conversation, leading to persistent XSS. A successful attack requires an...
Nextcloud: Clickjacking on https://download.nextcloud.com/
the vulnerability is Clickjacking Steps for Reproduce: 1. Create a script like this Clickjacking! The Site is Vulnerability Clickjacking 2. Enter a file name after saving it in the .html format Then the web is Vuln Clickjacking Sorry bad english im indonesian Impact By using Clickjacking techniqu...
Nextcloud: Clickjacking on https://nextcloud.com/
the vulnerability is Clickjacking Steps for Reproduce: 1. Create a script like this Clickjacking! The Site is Vulnerability Clickjacking 2. Enter a file name after saving it in the .html format Then the web is Vuln Clickjacking Sorry bad english im indonesian Impact By using Clickjacking techniqu...
Improper check for access to application database (NC-SA-2018-015)
A too permissive check allowed an installed application that contained the Nextcloud client package name to obtain access to the database of the Nextcloud application. At time of disclosure there are no applications with in the Google Play Store that fullfill this requirement...
Bypass lock protection in Android app (NC-SA-2019-008)
If an attacker has physical access to an Android smartphone without a screen lock, but with nextcloud installed and set up, they can circumvent the passcode protection by repeatedly opening and closing the app in a very short time...
Thumbnails of files leaked via Android content provider (NC-SA-2019-007)
If an attacker has physical access to an Android smartphone without a screen lock, but with nextcloud installed and set up, he can easily access the nextcloud-files even if the nextcloud app is locked with a fingerprint or pin...
Bypass lock protection in Android app (NC-SA-2019-006)
If an attacker has physical access to an Android smartphone without a screen lock, but with nextcloud installed and set up, they can easily access the nextcloud-files even if the nextcloud app is locked with a fingerprint or pin...
Nextcloud: Clickjacking on https://download.nextcloud.com
This page is vulnerable to clickjacking https://download.nextcloud.com Steps to Reproduce: 1. Copy the following code and save it as clickjacking.html Clickjack test page Website is vulnerable to clickjacking! 2. Open it in browser You can see the website is vulnerable to clickjacking Impact Anyo...
Nextcloud: User can delete data in shared folders he's not autorized to access
Steps to reproduce 1. create a group folder named TEST and share with "admin group" and "test group", marking the advanced permission flag 2. create two folders inside the main share: visible and invisible 3. inside "invisible" folder create a test file let's say something like "test.txt" 4. set...
Server-Side request forgery in New-Subscription feature of the calendar app (NC-SA-2019-014)
An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and remote services when adding a new subscription in the calendar application...