4993 matches found
Nextcloud: Memory Leak in OCUtil.dll library in Desktop client can lead to DoS
The function IsChildFileconst wchart rootFolder, const wchart file in FileUtil.cpp allocates memory on line 42 and fails to free it. The following PoC code can provide evidence. The code and the PoC executable is attached to this report. Also OCUtils.dll and OCUtilsx64.dll library which is...
Nextcloud: Vulnerable W3 Total Cache plugin version in use on nextcloud.com
Hi there, I noticed you are currently using a vulnerable version of W3 Total Cache, as the changelog containing the plugin version is publicly reachable: https://nextcloud.com/wp-content/plugins/w3-total-cache/changelog.txt W3 Total Cache makes the site vulnerable to a series of attacks, includin...
Nextcloud: Blind Stored XSS on iOS App due to Unsanitized Webview
Hi Team! I found a Blind XSS can executed on iOS App due to unsanitized webview. Using this issue, attacker can extract information from victim. Steps To Reproduce: 1. Upload malicious HTML, share to victim 2. Waiting victim to open it F487447 F487448 HTML payload attached, don't forget to change...
Nextcloud: W3 Total Cache plugin multiple vulnerabilities
W3 Total Cache plugin version = 0.9.4.1 on the https://nextcloud.com has multiple vulnerabilities. See the screenshot.png Impact Remote Command Execution, Unauthenticated Security Token Bypass, Unauthenticated Arbitrary File Read etc...
Nextcloud: External Storage - WebDAV - New user has access to storage from deleted user (same user-ID)
Delete existing user account "user3" Create new user account "user3" Also reported on https://github.com/nextcloud/server/issues/15258 Impact Newly created user with same user-id of a deleted user has access to the configured external webdav storage from the deleted user...
Nextcloud: Remote Code Execution via Extract App Plugin
Hi, I found a critical issue in the Add-on "Extract" listed in the Nextcloud Marketplace: https://apps.nextcloud.com/apps/extract This extension can be installed directly from Nextcloud Application The vulnerability was found in file: extract/lib/Controller/ExtractionController.php line 102. The...
Nextcloud: Combination of content provider allows private data disclosure
Good afternoon. Sorry, its me again .. I use NC on a daily basis so I often makes some checks .. As per 489105, document thumbnail shall not be disclosed. The exposure on thumbnailCache/ is an already know issue. However, malicious apps are still able to extract at least pictures and text files b...
Nextcloud: In Dockerized Environments, Failing to Read config.php Grants Any Anonymous User Full Admin Access
Consider this deployment: - Nextcloud is already installed in a Dockerized environment. - There are two Nextcloud containers running in the environment. - Both containers share the same MySQL database. - Both containers share the same data /var/www/html/data and config /var/www/html/config via...
2FA sessions not properly expired on password change (NC-SA-2020-001)
A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset...
Nextcloud: SQLi allow query restriction bypass on exposed FileContentProvider
FileContentProvider is an exposed provider As per its definition on https://github.com/nextcloud/android/blob/master/src/main/java/com/owncloud/android/providers/FileContentProvider.java, limited set of data shall be exposed as per @l444 switch mUriMatcher.matchuri case ROOTDIRECTORY: case...
openSUSE Security Update : nextcloud (openSUSE-2019-640)
This update for nextcloud to version 13.0.5 fixes the following issues : Security issues fixed : - CVE-2018-3780: Fixed a missing sanitization of search results for an autocomplete field that could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names,...
openSUSE Security Update : nextcloud (openSUSE-2019-511)
This update for nextcloud fixes the following issues : Security issues fixed : - CVE-2018-3761: Fix improper authentication on the OAuth2 token endpoint bsc1100344. - CVE-2018-3762: Fix improper checks of dropped permissions for incoming shares allowing a user to still request previews for files ...
openSUSE Security Update : nextcloud (openSUSE-2019-655)
This update for nextcloud fixes security issues and bugs. Security issues fixed : - CVE-2018-3780: Stored XSS in autocomplete suggestions for file comments boo1114817 This update also contains all bug fixes and improvements in the 13.0.8 version, including : - Password expiration time changed fro...
Nextcloud: [Reflected XSS] In Request URL
In index.php file on 1765 we can see XSS: " Because NextCloud allow links like: '/index.php/ANYCONTENT' If we will do request like: POST /updater/index.php/h"alert1; HTTP/1.1 Host: vulns.local Content-Type: application/x-www-form-urlencoded Content-Length: 33 updater-secret-input=OURSECRET We wil...
Reflected XSS in redirect of the Updater (NC-SA-2020-007)
Missing escaping of HTML in the Updater of Nextcloud 15.0.5 allowed a reflected XSS when starting the updater from a malicious location...
Nextcloud: Missing DNSSEC
The nextcloud.com domain does not have DNSSEC enabled...
Nextcloud: Group admins can remove arbitrary data from "data" directory (including admin data)
Steps to reproduce: 1. Create a new user and make him an admin of an arbitrary group 2. Log in as this new user 3. Create a new user "filesexternal", "appdatarandom-data", .. 4. Delete this user Result: The data/filesexternal / data/appdata.. folder is removed. Solution: Prevent creation of users...
Nextcloud: Nextcloud domain and name of every user leaked to lookup server
Steps to reproduce: 0. Install and set up Nextcloud, optional: create a few random users 1. Apply the following patch to a standard Nextcloud server: patch diff --git a/settings/BackgroundJobs/VerifyUserData.php b/settings/BackgroundJobs/VerifyUserData.php index 56ebadff9c..76ed8b5ed3 100644 ---...
Nextcloud: Arbitrary SQL command injection
When querying for users on the lookup server any unauthenticated user could perform an SQL Injection...
Nextcloud: Able to bypass "Device credentials" Lock
Prepare 1. Enable "Device credentials" lock via the settings. I'm using fingerprint in my case 2. Test if this works by closing the app and open it again. 3. If this works close the app again, do a force close to make sure the application is closed. The next steps need to be done quickly right...