Missing sanitization in iOS App allows XSS (NC-SA-2020-003)

Missing sanitization in the iOS App 2.24.4 causes an XSS when opening malicious HTML files...

2FA sessions not properly expired on password change (NC-SA-2020-001)

A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset...

Code injection in Nextcloud Desktop Client for macOS

None...

Brute force protection allows to send more requests than intended

None...

Basic auth header on WebDAV requests is not brute-force protected

None...

Desktop client does not verify received singed certificate in end-to-end encryption

None...

Potential share collision for recipients when caching is enabled

None...

Nextcloud Server shipped insecure Archive_Tar version

None...

Audit log is not properly logging unsetting of share expiration date

None...

Reflected XSS when renaming malicious file (NC-SA-2021-005)

Missing sanitization in Nextcloud Server 20.0.5 and prior allowed to perform a reflected XSS when saving html as file name and causing an error on rename e.g. by renaming to an existing file. The risk is mostly mitigated due to the strict Content-Security-Policy CSP of Nextcloud, and thus mainly...

Potential DDoS when posting long data into workflow validation rules (NC-SA-2021-001)

A missing input validation in Nextcloud Server 20.0.1 allowed users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules...

PIN for passwordless WebAuthn is asked for but not verified (NC-SA-2020-037)

A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless WebAuthn is also a two factor verification by asking for the PIN of the passwordless WebAuthn but not verifying it...

Access control missing while viewing the attachments in the 'All boards' (NC-SA-2020-036)

Missing access control in Nextcloud Deck 1.0.4 caused an insecure direct object reference allowing an attacker to view all attachments...

Password of share by mail is not hashed when given on the create share call (NC-SA-2020-026)

A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call...

Query restriction bypass on exposed FileContentProvider in Android app (NC-SA-2019-011)

Not strictly enough sanitization allowed an attacker to get content information from protected tables when using custom queries...

Log pollution can potentially lead to local HTML injection (NC-SA-2016-002)

The "download log" functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the...

Insecure temporary file creation, race with write access and permission

None...

Users can delete old versions of read-only shared files

None...

Notes app can be tricked into using a received share created before the user logged in

None...

Chat room membership disclosed via autocompletion when not a member yourself

None...

Sensitive files/ data exists post deletion of user account

None...

Control character filtering misses leading and trailing whitespace in file and folder names

None...

Can bypass the lock protection in Android Files app

None...

Malicious Android application can crash the Nextcloud Android Client

None...

Default Nextcloud Server and iOS Client leak sharee searches to Nextcloud

None...

Message Authentication Codes calculated by the Default Encryption Module allow an attacker to silently overwrite blocks in a file (NC-SA-2020-038)

A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file...

Secure view shares can be downloaded by manipulating the URL (NC-SA-2020-015)

A missing access control check in Nextcloud Server 18.0.0 causes hide-download shares to be downloadable when appending /download to the URL...

User IDs and Nextcloud server leaked to Nextcloud Lookup server with disabled settings (NC-SA-2019-016)

Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled...

Reflected XSS in error pages (NC-SA-2017-008)

Inadequate escaping of error messages leads to XSS vulnerabilities in multiple components.Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers...

Content-Spoofing in "files" app (NC-SA-2017-006)

The top navigation bar displayed in the files list contained partially user-controllable input leading to a potential misrepresentation of information...

Reflected XSS in Gallery application (NC-SA-2016-009)

The gallery app was not properly sanitizing exception messages from the Nextcloud server. Due to an endpoint where an attacker could influence the error message this lead to a reflected Cross-Site-Scripting vulnerability...

Server-Side Request Forgery (SSRF) in Mail app

None...

Missing password confirmation when creating app passwords

None...

Missing brute force protection on OAuth2 API controller

None...

Delete permissions are not saved when creating public share

None...

Federated share accepting/declining is not logged in audit log

None...

Force an admin to install recommended applications

None...

Sensitive data may not be removed from storage on account removal

None...

End to end encryption folder locking is not properly protected

None...

XSS through image upload of contacts using svg file (NC-SA-2020-045)

A missing file type check in Nextcloud Contacts 3.3.0 allowed a malicious user to upload malicious SVG files to perform XSS attacks...

Downgrade encryption scheme and break integrity through known-plaintext attack (NC-SA-2020-039)

A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files...

Improper share updates could result in extended data access (NC-SA-2019-003)

A bug could expose more data in reshared link shares than intended by the sharer...

Classification of calendar events is ignored by the activity stream (NC-SA-2019-001)

A missing check revealed the name of confidential events and private events to all users of a shared calendar...

Improper validation of permissions (NC-SA-2018-010)

Improper revalidation of permissions lead to not accepting access restrictions by acess tokens...

Global credentials of external storages are sent back to the frontend

None...

Missing permission check when removing a photo from an album

None...

App PIN code can be bypassed in Files iOS

None...

Self XSS when pasting HTML into Text app with Ctrl+Shift+V

None...

XSS in Desktop Client in call notification popup

None...

XSS in Desktop Client via user status and information

None...