EUVD-2020-29146

Malware in sbrugna...

Improper access control

Improper access control in Nextcloud Social app version 0.3.1 allowed to read posts of any user...

CVE-2020-8278

CVE-2020-8278 corresponds to a vulnerability in the Nextcloud Social app (version 0.3.1) where improper access control allows reading posts of any user. The root cause is missing authentication/authorization checks in the Social app’s access flow (notably the displayPost path in the ActivityPubCo...

CVE-2020-8278

Improper access control in Nextcloud Social app version 0.3.1 allowed to read posts of any user...

Social App does not validate server certificates for outgoing connections (NC-SA-2020-043)

Missing validation of server certificates for out-going connections allowed a man-in-the-middle attack...

Improper access control to messages of Social app (NC-SA-2020-042)

Improper access control in Social app 0.3.1 allowed to read posts of any user...

Nextcloud: Improper access control to messages of Social app

The Social App https://apps.nextcloud.com/apps/social lacks access controls in the displayPost function /@username/token allowing an unauthenticated user to view any message content by knowing or guessing the message ID. The vulnerable code is at...

Nextcloud: Social App does not validate server certificates for outgoing connections

The Social App https://apps.nextcloud.com/apps/social does not validate the server TLS certificate for connections to other ActivityPub servers. These connections are used to retrieve the public key for a user or posting a message to another ActivityPub server. The public key for a user is used t...