384 matches found
Passcode bypass on Talk Android app
None...
XSS in Nextcloud Text application
None...
Ability to control the filename when uploading a logo or favicon as admin in the theming settings
None...
Potential share collision for recipients when caching is enabled
None...
Possibility to delete files attached to deck cards of other users
None...
Stored XSS via Authorization Endpoint - Safari-Only
None...
Last video frame is still sent after video is disabled in a call
None...
Access to internal files of the Nextcloud Android app from within the Nextcloud Android app
None...
Permission bypass in DiskLruImageCacheFileProvider (GHSL-2021-1008)
None...
Deck shared with a Circle can be accessed by non-Circle members
None...
SQL injection in Android app content provider (NC-SA-2019-005)
The content provider of the app accepted arbitrary strings in the field list of the returned file list. This allowed an attacker to run harmful queries, destroying the local cache of the android app. The server data however was never in danger, so removing the account and setting it up again can...
Possibility for anyone to add a stack with existing tasks on anyone's board in the Deck app
None...
Notification implicit PendingIntent in com.nextcloud.client allows to access contacts
None...
Can bypass the lock protection in Android Files app
None...
Geolocation preview links can be set to arbitrary links
None...
Default settings leak federated cloud ID to lookup server of all users
None...
SMTP Command Injection in iCalendar Attachments to emails via newlines
None...
XSS in Nextcloud Circles
None...
Audit log is not properly logging unsetting of share expiration date
None...
OAuth2 client secrets were stored in a recoverable way
None...
Talk Android broadcast receiver is not protected by broadcastPermission allowing malicious apps to communicate
None...
Generated passwords are not fully validated by HIBPValidator
None...
When sharing a Deck card in conversation the metaData can be manipulated to open arbitrary URL
None...
File path disclosure of shared files in Richdocuments application
None...
Code injection possible with malformed Nextcloud Talk chat commands (NC-SA-2020-021)
A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk command was added by an administrator...
Ability to by-pass second factor
None...
OAuth2 authorization codes are valid indefinetly
None...
Ownership check missing when updating or deleting mail attachments
None...
Filenames not escaped by default in controllers using DownloadResponse
None...
Existance of calendars and addressbooks can be checked by unauthenticated users
None...
Groupfolders advanced permissions is not obeyed for subfolders
None...
Two-Factor Authentication not enforced for pages marked as public
None...
Trusted servers exchange can be triggered by attacker
None...
Improper restriction of excessive authentication attempts on WebDAV endpoint
None...
User without download rights can download older version of that file
None...
Exceptions may have logged Encryption-at-Rest key content
None...
WOPI API not protected by credentials/IP check
None...
HTML injection in search UI when selecting a circle with HTML in the display name
None...
Desktop client can be tricked into opening/executing local files when clicking a nc://open/ link
None...
Profile of disabled user stays accessible
None...
Bypass of Two Factor Authentication
None...
SQL Injection in lookup-server (NC-SA-2019-010)
Improper sanitation of user input allowed any unauthenticated user to perform SQL injection attacks...
Missing brute force protection on password reset token
None...
No password length restriction in reset password endpoint
None...
XSS in Talk
None...
Stored XSS in markdown file with Nextcloud Talk using Internet Explorer (NC-SA-2021-002)
A missing link validation in Nextcloud Server 20.0.1 allowed to execute a stored XSS attack on Internet Explorer users by saving a javascript url in a Markdown...
Insecure randomness for default password in file sharing when password policy app is disabled
None...
Bypass of image blocking in Nextcloud Mail
None...
Lack of ratelimit on public DAV endpoint
None...
Missing permission check on email metadata retrieval
None...