CVE-2017-0892

Nextcloud Server before 11.0.3 is vulnerable to an improper session handling allowed an application specific password without permission to the files access to the users file...

CVE-2017-0892

Nextcloud Server before 11.0.3 is vulnerable to an improper session handling allowed an application specific password without permission to the files access to the users file...

CVE-2017-0893

Nextcloud Server before 9.0.58 and 10.0.5 and 11.0.3 are shipping a vulnerable JavaScript library for sanitizing untrusted user-input which suffered from a XSS vulnerability caused by a behaviour change in Safari 10.1 and 10.2. Note that Nextcloud employs a strict Content-Security-Policy preventi...

CVE-2017-0891

Nextcloud Server before 9.0.58 and 10.0.5 and 11.0.3 are vulnerable to an inadequate escaping of error messages leading to XSS vulnerabilities in multiple components...

CVE-2017-0890

Nextcloud Server vulnerability CVE-2017-0890 is a DOM-based XSS in the search dialogue caused by inadequate escaping. Affects Nextcloud Server versions prior to 11.0.3. Exploitation requires a user to input or paste malicious content into the search dialogue. The issue is confirmed through multip...

CVE-2017-0890

Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue...

CVE-2017-0895

The CVE-2017-0895 vulnerability affects Nextcloud Server before 10.0.4 and 11.0.2, where a logical error allows disclosure of calendar and addressbook names to other logged‑in users. No calendar/addressbook content is exposed. Affected versions are fixed in the NC-SA-2017-012 advisory, with Nextc...

CVE-2017-0893

CVE-2017-0893 affects Nextcloud Server prior to 9.0.58, 10.0.5, and 11.0.3. A vulnerable JavaScript library used for sanitizing untrusted input enables a cross-site scripting (XSS) issue due to a Safari 10.1/10.2 behavior change. Nextcloud notes a strict Content-Security-Policy that mitigates exp...

CVE-2017-0895

Nextcloud Server before 10.0.4 and 11.0.2 are vulnerable to disclosure of calendar and addressbook names to other logged-in users. Note that no actual content of the calendar and addressbook has been disclosed...

CVE-2017-0892

Affected software: Nextcloud Server (

CVE-2017-0891

Nextcloud Server (before 9.0.58, 10.0.5, and 11.0.3) is vulnerable to an inadequate escaping of error messages that leads to Reflected Cross-Site Scripting in multiple components. The provided documents designate this as CVE-2017-0891 and describe XSS in error handling; exploitation details are n...

CVE-2017-0894

Nextcloud Server before 11.0.3 is vulnerable to disclosure of valid share tokens for public calendars due to a logical error. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token...

CVE-2017-0894

Nextcloud Server prior to 11.0.3 is affected by CVE-2017-0894 due to a logical error that discloses valid share tokens for public calendars, potentially letting an attacker access publicly shared calendars without the token. Affected product: Nextcloud Server; vulnerable component: calendar share...

Nextcloud: Nextcloud Server Remote Command Execution

Hy NextCloud Security Team i found a critical vulnerability RCE : Nextcloud Server 11.0.2 is affected by a critical vulnerability, which gives to the attacker complete permission to run a system command. The root cause is insufficient validation of arguments to the exec function. Vulnerable Code...

Reflected XSS in error pages (NC-SA-2017-008)

Inadequate escaping of error messages leads to XSS vulnerabilities in multiple components.Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers...

Stored XSS in Gallery application (NC-SA-2017-010)

A JavaScript library used by Nextcloud for sanitizing untrusted user-input suffered from a XSS vulnerability caused by a behaviour change in Safari 10.1 and 10.2.Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers...

PT-2017-10695 · Nextcloud · Nextcloud Server

Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions prior to 11.0.3 Description: The issue is related to a logical error that leads to the disclosure of valid share tokens for public calendars. This could potentially allow an attacker to access publicly shared calenda...

Nextcloud: I am because bug

I'm because I hacker found bug because I report this bug I want to report a bug and because want some $$$$ so please because you are telling me how much you pay money so I give you bug. Me because very poor :' want money because father :' F181820 Thank you wish you because pay lots $$$$$$$$...

Nextcloud: Wordpress Vulnerable to Potential Unauthorized Password Reset

Hi Team, Yesterday, a new 0day on wordpress core has been discovered by Dawid Golunski, so i want you guys to be aware of it to take an immediate action since nextcloud was using wordpress. Wordpress has a password reset feature that contains a vulnerability which might in some cases allow...

Nextcloud: SQL exception in JSON format

Hi, I know this is not critical, just a design issue, but it will be better if it will not show up to the user as an error, maybe in log files readable to the www-user or to the root user in order to debug. PoC: ---------------------- 1. Create a user and confirm the password 2. Capture the packe...