4993 matches found
Nextcloud: Uploading large avatar images cause excessive CPU usage
How to reproduce: - Create an account on any server running Nextcloud 13 or 14. - Open the personal settings. - Upload a large image as avatar tested with a 4032x3024 PNG image of about 14.5 MB. - Keep the selected area in the popup and save the avatar. - Notice that the avatar area shows the...
Nextcloud: User Editable nextcloud Wiki pages of Public Repositories
Summary : I have found that the "Edit" Permissions of WIKI pages are NOT disabled on the public repositories of nextcloud. Generally Edit permissions are given only to the collaborators of a specific repository. but that is not the case with Nextcloud, It is public editable which isn't right in...
Nextcloud: XSS On Nextcloud Integrated with zimbra drive
Hello Team, There is an stored xss on Nextcloud plugin with Zimbra Drive. I integrate zimbra with nextcloud 13 zimbra drive 0.8.20. Please see attached file and I am waiting for your response. Best regards Impact Get sensitive data...
Nextcloud: Bypassing lock protection
Nextcloud allows multi account within the android client app and relies on a single lock Based on the exposed intent nc://login, it is possible to add a new account under attacker domain and open the Nextcloud without the lock check. Proof of concept 1. open the NC app with the lock displayed 2...
OPNsense 19.1 Cross Site Scripting
Exploit Title: OPNsense 19.1 | Cross-Site Scripting Date: 01.02.2019 Exploit Author: Ozer Goker Vendor Homepage: https://opnsense.org Software Link: http://mirror.ams1.nl.leaseweb.net/opnsense/releases/19.1/OPNsense-19.1-OpenSSL-dvd-amd64.iso.bz2 Version: 19.1 Introduction OPNsense is an open...
Nextcloud: 2FA Session not expires after the password reset
A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset...
Nextcloud: Private/confidential setting of calendar events is ignored on activity stream
https://github.com/nextcloud/server/pull/13331 Events that are private should not generate events for other users Events that are confidential should not leak the name to other users Impact The details are leaked to other users...
Nextcloud: WordPress vulnerable to multiple attacks at https://nextcloud.com
summary: your current version of WordPress is available to multiple attacks check INFO.php available attacks: - Unauthenticated Arbitrary File Deletion - lib/IPTraf.php User-Agent Header Stored XSS - Password Creation Restriction Bypass - wp-admin/admin.php whois Parameter Stored XSS - XSS & IAA ...
Nextcloud: Password authentication at newsletter.nextcloud.com discloses username list
summary: A vulnerability classified as problematic has been found in OpenSSH 7.2p2. check INFO.pngAffected is an unknown function of the component Authentication. The manipulation of the argument Password with an unknown input leads to a information disclosure vulnerability Username. CWE is...
Nextcloud: Content spoofing on https://surveyserver.nextcloud.com
Hi NextCloud team, the https://surveyserver.nextcloud.com domain is vulnerable against content spoofing in the forbidden page due to the fact that the request URI is reflected without validation inside the aforementioned page. 1. Go on...
Nextcloud: Passwords being stored as plain text in logging
When an exception occurs, any password sent to or being processed by the server may be stored as plain text in the log. I noticed that some methods are already being filtered in ExceptionSerializer.php, but many methods are missing from this list. Suggestion: instead of relying on a list of...
Nextcloud: Retrieval and alteration of exposed media on Android Oreo
Good afternoon. Any media downloaded from the cloud server within the Android app is subject to third party modification and server re-upload without explicit user consent. This happens at least on Android Oreo, as data is automatically stored on shared folder...
Nextcloud: Remote attacker can impersonate Social users via ActivityPub API
Hi there! First up I want to acknowledge that Social may not be in scope. I emailed [email protected], which pointed me here, and I wasn't sure whether to just put it in a GitHub issue. In any case I hope I'm not wasting your time. When an HTTP request arrives at the shared inbox endpoint...
openSUSE: Security Advisory for nextcloud (openSUSE-SU-2018:4002-1)
The remote host is missing an update for the Copyright C 2018 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
Nextcloud: xmlrpc.php is enabled - Nextcloud
Hi Nextcloud Team, Summary: An attacker can devise a XML request to list all the methods that are enabled on the server. Replace Get with POST request and add method call in the request. To reproduce the vulnerability you need to use Firefox browser and Burpsuite Open:...
Security update for nextcloud (moderate)
This update for nextcloud fixes security issues and bugs. Security issues fixed: - CVE-2018-3780: Stored XSS in autocomplete suggestions for file comments boo1114817 This update also contains all bug fixes and improvements in the 13.0.8 version, including: - Password expiration time changed from...
Security update for nextcloud (moderate)
This update for nextcloud fixes security issues and bugs. Security issues fixed: - CVE-2018-3780: Stored XSS in autocomplete suggestions for file comments boo1114817 This update also contains all bug fixes and improvements in the 13.0.8 version, including: - Password expiration time changed from...
openSUSE Security Update : nextcloud (openSUSE-2018-1487)
This update for nextcloud fixes security issues and bugs. Security issues fixed : - CVE-2018-3780: Stored XSS in autocomplete suggestions for file comments boo1114817 This update also contains all bug fixes and improvements in the 13.0.8 version, including : - Password expiration time changed fro...
Nextcloud: Github wikis are editable by anyone
Github wikis on the following projects https://github.com/nextcloud/fulltextsearch https://github.com/nextcloud/nextcloudpi https://github.com/nextcloud/spreed https://github.com/nextcloud/ocsms https://github.com/nextcloud/nextcloud-snap https://github.com/nextcloud/passman can be edited by any...
Nextcloud: Expired reshare links allow access to all files in share
After a reshared subfolder link has expired, the link allows access to the full folder. I found the Problem in Nextcloud 14.0.3, but it still persists in 14.0.4 Steps: 1. share folder "A" with an nextcloud group 2. reshare a subfolder "B" of this folder with another user on this group in this cas...