External storage credentials stored for wrong user (NC-SA-2021-004)

A missing user check in Nextcloud 20.0.5 and prior allowed to populate your own credentials for other users external storage configuration when they did not configure one yet...

Global site selector authentication bypass

None...

Advanced permissions not respected when copying entire group folders

None...

Initialization vector reuse in end-to-end encryption allows a malicious server admin to break manipulate and access files

None...

Desktop client can be tricked into opening/executing local files when clicking a nc://open/ link

None...

Password disclosure in log file when providing incorrect additional data on initial setup of Mail App

None...

Bypass of password requirements when sharing a folder via the Circles app

None...

Bypass of image blocking in Nextcloud Mail

None...

WOPI API not protected by credentials/IP check

None...

Inviting excessive long email addresses to a calendar event makes the server unresponsive

None...

OAuth2 client_secret stored in plain text in the database

None...

Password of talk conversations can be bruteforced

None...

Scope of workflow operations is not validated

None...

App pin of the Android app can be bypassed via thirdparty apps generating deep links

None...

Vulnerable moment-timezone version shipped

None...

Disabled download shares still allow download through preview images

None...

No password length limit when creating a user as an administrator

None...

Generated passwords are not fully validated by HIBPValidator

None...

Federated editing allows iframing remote servers by default

None...

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Server

None...

Lack of ratelimit on public DAV endpoint

None...

Filenames not escaped by default in controllers using DownloadResponse

None...

Missing URL validation allowed RCE for the server on the Desktop client (NC-SA-2021-008)

Missing validation of URLs in Nextcloud Desktop Client 3.1.2 and earlier allowed a malicious server to execute code on the client. User interaction was required...

External storage app saves password for all users in the database (NC-SA-2021-006)

A missing condition in Nextcloud Server 19 and prior caused the external storage app to always store the users password in a recoverable format...

Missing ownership check on remote wipe endpoint (NC-SA-2020-018)

An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint...

SMB User Authentication Bypass (NC-SA-2016-006)

Nextcloud includes an optional and not by default enabled SMB authentication component that allows to authenticate users against an SMB server.This backend is implemented in a way that it tries to connect to a SMB server and if that succeeded consider the user logged-in.The backend did not proper...

Read-only share recipient can restore old versions of file (NC-SA-2016-005)

The restore capability of Nextcloud was not verifying whether an user has only read-only access to a share. Thus an user with read-only access was able to restore old versions...

Open redirect in user_saml via RelayState parameter

None...

Lack of authenticity of metadata keys allows a malicious server to gain access to E2EE folders

None...

Reference fetch can saturate the server bandwidth for 10 seconds

None...

Listing folder content blocked by files access control when received as share

None...

Improper input-size validation on the user new session name

None...

Missing permission check on Deck API

None...

Malicious user could break user administration page

None...

Code injection in Nextcloud Desktop Client for macOS (NC-SA-2020-016)

A code injection in Nextcloud Desktop Client 2.6.2 for macOS allowed to load arbitrary code when starting the client with DYLDINSERTLIBRARIES set in the enviroment...

Events information leaked with shared calendars on recurrence exceptions

None...

User scoped external storage can be used to gather credentials of other users

None...

User session not correctly destroyed on logout

None...

App pin of the iOS app can be bypassed

None...

XSS in Desktop Client in the notifications

None...

Server-Side Request Forgery (SSRF) via potential filter bypass with too lax local domain checking

None...

Untrusted Search Path in Nextcloud Desktop Client

None...

Webauthn tokens not removed after user has been deleted

None...

Files Drop public link can be added as federated share

None...

Second factor authentication bypassed if provider fails to load (NC-SA-2018-011)

Missing state would not enforce the use of a second factor at login if the the provider of the second factor failed to load...

Workflows do not require password confirmation on API level

None...

Users can delete external storage mount points

None...

Ability to control the filename when uploading a logo or favicon as admin in the theming settings

None...

Messages can still be seen on conversation after expiring when cron is misconfigured

None...

Increase random used for encryption (NC-SA-2020-023)

A too small set of random characters being used for encryption in Nextcloud Server 18.0.4 allowed decryption in shorter time than intended...