Nextcloud: URI scheme bypass in mail app lead to HTML content spoof and opener control

Bug When we load a HTML mail from mailbox via api, etc http://nextcloud/index.php/apps/mail/accounts//folders/SU5CT1g=/messages//html Our content will be passed to HTML Purifier to strip malicious XSS patterns. After that, an filter will apply to transform acceptable URI schemes http, https, ftp,...

Nextcloud: Dav sharing permissions issue

Steps 1. Create users "Test 1" and "Test 2", make "Test 1" member of "Group A" 2. Share a calendar with group "Group A" editable 3. Share the same calendar with user "Test 2" readonly 4. As "Test 1" open the calendar app and unshare the calendar from "Test 2" - works 5. As "Test 1" open the...

Improper authorization check on removing shares (NC-SA-2016-007)

The Sharing Backend as implemented in Nextcloud does differentiate between shares to users and groups. In case of a received group share, users should be able to unshare the file to themselves but not to the whole group. The previous API implementation did simply unshare the file to all users in...

Stored XSS in CardDAV image export (NC-SA-2016-008)

The CardDAV image export functionality as implemented in Nextcloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.Note: Nextcloud employs a very strict Content Security...

Reflected XSS in Gallery application (NC-SA-2016-009)

The gallery app was not properly sanitizing exception messages from the Nextcloud server. Due to an endpoint where an attacker could influence the error message this lead to a reflected Cross-Site-Scripting vulnerability...

SMB User Authentication Bypass (NC-SA-2016-006)

Nextcloud includes an optional and not by default enabled SMB authentication component that allows to authenticate users against an SMB server.This backend is implemented in a way that it tries to connect to a SMB server and if that succeeded consider the user logged-in.The backend did not proper...

Nextcloud: Filename enumeration && DoS

@secator reported some enumeration and DoS related issue in Nextcloud Server to us. On request of the reporter the issue has only been disclosed limitedly...

Nextcloud: Bad content-type in response header when getting document can lead to html injection

Bug When request document by genesisid or filename, the content-type field in response header is 'text/html'. And the document content can be anything. So if we upload an odt file with html format and share with other users, it can lead to html injection when others request that file. PoC - img1...

Nextcloud: Bypassing quota limit

Hi an user can upload files despite having a limited quota by changing value of "OC-Total-Length" in header to "A" or adding "X-Expected-Entity-Length" in header with "A" value in normal insuffisant storage we have: PUT /remote.php/webdav/a.jpg HTTP/1.1 Content-Type: application/octet-stream...

Nextcloud 'share.js' Gallery Application XSS Vulnerability - Windows

Nextcloud is prone to a cross-site scripting XSS vulnerability. SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Nextcloud 'share.js' Gallery Application XSS Vulnerability - Linux

Nextcloud is prone to a cross-site scripting XSS vulnerability. SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Nextcloud Detection (HTTP)

HTTP based detection of Nextcloud. SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription scriptoid"1.3.6.1.4.1.25623.1.0.809413";...

Nextcloud: Content spoofing in lookup.nextcloud.com

Scenerio An attacker can include any arbitrary text using specially crafted nextcloud url. This is done using character /%0d%0a. Steps 1 Attacker distributed the below url by means of spamming or through his website...

OwnCloud Server and Nextcloud Server Cross-Site Scripting Vulnerabilities

OwnCloud is a free and open source personal cloud storage solution from OwnCloud Germany.Nextcloud is an open source self-hosted file synchronization and sharing communication application platform.OwnCloud Server and Nextcloud Server are both a server version of one of them. A cross-site scriptin...

CVE-2016-7419

Cross-site scripting XSS vulnerability in share.js in the gallery application in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 allows remote authenticated users to inject arbitrary web script or HTML via a crafted directory name...

CVE-2016-7419

Cross-site scripting XSS vulnerability in share.js in the gallery application in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 allows remote authenticated users to inject arbitrary web script or HTML via a crafted directory name...

Cross site scripting

Cross-site scripting XSS vulnerability in share.js in the gallery application in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 allows remote authenticated users to inject arbitrary web script or HTML via a crafted directory name...

CVE-2016-7419

Cross-site scripting XSS vulnerability in share.js in the gallery application in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 allows remote authenticated users to inject arbitrary web script or HTML via a crafted directory name...

CVE-2016-7419

Affected software and scope: CVE-2016-7419 is an XSS vulnerability in the share.js file of the gallery application used by ownCloud Server < 9.0.4 and Nextcloud Server

Nextcloud: Bypass permissions

@secator reported some permission related issues in Nextcloud Server to us. On request of the reporter the issue has only been disclosed limitedly...