384 matches found
Mail app temporarily stores cleartext password in database until OAuth2 setup is done
None...
Exception logging in Sharepoint app reveals clear-text connection details
None...
File Traversal affecting SVG files on Nextcloud Server
None...
Missing User Presence Check in Nextcloud WebAuthn login
None...
Potential hash collision for background jobs could skip queuing them
None...
Open redirect in user_saml via RelayState parameter
None...
Federated editing allows iframing remote servers by default
None...
User enumeration setting not obeyed in User Status API
None...
Notes app can be tricked into using a received share created before the user logged in
None...
user_ldap app logs user passwords in the log file on level debug
None...
Error in calendar when booking an appointment reveals the full path of the website
None...
Download permissions can be changed by resharer
None...
Missing rate limit when trying to join a password protected Nextcloud Talk conversation
None...
Nextcloud deck sharee search leaks searches to lookupserver by default
None...
ID4me feature of OpenID connect app available even when disabled
None...
Path traversal allows tricking the Talk Android app into writing files into it's root directory
None...
App pin of the Android app can be bypassed via thirdparty apps generating deep links
None...
Incomplete sanitization of SVG files allows to embed other images into previews
None...
Self XSS when sending HTML as a comment in the Deck app
None...
Users can make external storage mount points inaccessible for other users
None...
System addressbooks can be modified by malicious trusted server
None...
Brute force protection allows to send more requests than intended
None...
Basic auth header on WebDAV requests is not brute-force protected
None...
IDOR Vulnerability in Nextcloud Mail
None...
Sensitive files/ data exists post deletion of user account
None...
Error in deleting deck cards attachment reveals the full application path
None...
Secret Circle can be joined without approval
None...
Login and token disclosure to other Nextcloud services (NC-SA-2019-017)
Violation of Secure Design Principles in the iOS App 2.23.0 causes the app to leak its login and token to other Nextcloud services when search e.g. for federated users or registering for push notifications...
Listing folder content blocked by files access control when received as share
None...
High memory usage for generating preview of broken image
None...
Mail auto configurator sends account information to `autoconfig.tld` server when no auto-configuration is possible
None...
Desktop client does not verify received singed certificate in end-to-end encryption
None...
Cleartext Transmission of Sensitive Information in user_oidc
None...
Rate-limits not working on instances without configured memory cache backend
None...
Missing brute force protection on OAuth2 API controller
None...
Database resource exhaustion for logged-in users via sharee recommendations with circles
None...
Moderator can enable cam/mic remotely if cam/mic-permission was disabled while user has activated cam/mic
None...
Lack of ratelimit on Richdocuments OCS endpoint
None...
Webauthn tokens not removed after user has been deleted
None...
Scope of workflow operations is not validated
None...
Read-only users can restore old versions
None...
SSRF via filter bypass due to lax checking on IPs
None...
Nextcloud Text app can disclose existence of folders in "File Drop" link share
None...
Nextcloud Talk not properly disassociating users from chats after account deletion
None...
Custom defined credentials of external storages are sent back to the frontend
None...
Global site selector authentication bypass
None...
Can enable/disable birthday calendar for any user
None...
Text does not respect "Allow download" permissions
None...
Missing brute force protection on password confirmation modal
None...
Self reflected HTML injection in Desktop client
None...