Lucene search
K
NextcloudMost viewed

384 matches found

Nextcloud
Nextcloud
•added 2020/04/08 12:0 a.m.•32 views

Missing permission check on resharing a board (NC-SA-2020-025)

Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permissions than they had themselves...

6CVSS3AI score0.01035EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2019/07/04 12:0 a.m.•32 views

Server-Side request forgery in New-Subscription feature of the calendar app (NC-SA-2019-014)

An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and remote services when adding a new subscription in the calendar application...

4CVSS2.5AI score0.01287EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2018/06/21 12:0 a.m.•32 views

Stored XSS in contacts via group shares (NC-SA-2018-005)

A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins...

3.5CVSS4.1AI score0.00637EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2017/05/08 12:0 a.m.•32 views

Limitation of app specific password scope can be bypassed (NC-SA-2017-009)

Improper session handling allowed an application specific password without permission to the files access to the users file...

4.3CVSS2.5AI score0.00985EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2023/01/09 5:45 a.m.•31 views

Missing character limitation allows to put generate a database error

None...

6.5CVSS6.3AI score0.00663EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2022/12/01 9:31 a.m.•31 views

Calendar name length not validated before writing to database

None...

5.3CVSS5.5AI score0.00846EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2022/11/25 11:31 a.m.•31 views

XSS in Desktop Client in call notification popup

None...

6.1CVSS6AI score0.00915EPSS
Exploits1References2Affected Software1
Nextcloud
Nextcloud
•added 2020/07/10 12:0 a.m.•31 views

Arbitrary code execution in desktop client via OpenSSL config (NC-SA-2020-030)

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL config into a fixed directory...

4.6CVSS4.3AI score0.00659EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2019/07/29 12:0 a.m.•31 views

Improper neutralization of item names in projects feature (NC-SA-2020-008)

Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project...

3.5CVSS3.7AI score0.0084EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2019/04/12 12:0 a.m.•31 views

Classification of calendar events is ignored by the activity stream (NC-SA-2019-001)

A missing check revealed the name of confidential events and private events to all users of a shared calendar...

4CVSS3.5AI score0.00854EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2017/05/08 12:0 a.m.•31 views

Calendar and addressbook names disclosed (NC-SA-2017-012)

A logical error caused disclosure of calendar and addressbook names to other logged-in users. Note that no actual content of the calendar and adressbook has been disclosed...

3.5CVSS2AI score0.00724EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2016/07/19 12:0 a.m.•31 views

Content-Spoofing in "files" app (NC-SA-2016-003)

The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user...

5CVSS2.7AI score0.01681EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2022/12/01 9:34 a.m.•30 views

Guests can continue to receive video streams from call after being removed from a conversation

None...

6.5CVSS6.4AI score0.00757EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2021/07/12 9:24 a.m.•30 views

Lack of ratelimit on public share link mount endpoint

None...

5.3CVSS5.4AI score0.01322EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2021/06/01 6:4 p.m.•30 views

Default Nextcloud Server and Android Client leak sharee searches to Nextcloud

None...

6.5CVSS6.4AI score0.01373EPSS
Exploits1References1Affected Software1
Nextcloud
Nextcloud
•added 2020/10/03 12:0 a.m.•30 views

Improper integrity protection of server-side encryption keys (NC-SA-2020-041)

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the encryption keys...

5.5CVSS4AI score0.00727EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2020/07/16 12:0 a.m.•30 views

Re-Sharing allows increase of privileges (NC-SA-2020-029)

A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to reshare with higher permissions than they got assigned themselves...

3.5CVSS4.2AI score0.01468EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2019/12/04 12:0 a.m.•30 views

Workflow rules only check the file extension for the mimetype instead of the content (NC-SA-2020-002)

A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend their behaviour on the file extension when checking file mimetypes...

6CVSS2.7AI score0.0113EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2019/08/02 12:0 a.m.•30 views

Reflected XSS in svg logo generation (NC-SA-2019-018)

A reflected Cross-Site Scripting vunerability was discovered in the svg generation...

4.3CVSS1.8AI score0.00916EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2019/07/29 12:0 a.m.•30 views

Name of private conversations leaked when linked via projects to a shared item (NC-SA-2020-011)

Improper access control in Nextcloud Talk 6.0.3 leaks the existance and the name of private conversations when linked them to another shared item via the projects feature...

4CVSS4.3AI score0.00766EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2019/07/26 12:0 a.m.•30 views

Bypass lock protection in Android app (NC-SA-2019-006)

If an attacker has physical access to an Android smartphone without a screen lock, but with nextcloud installed and set up, they can easily access the nextcloud-files even if the nextcloud app is locked with a fingerprint or pin...

3.6CVSS2.4AI score0.00469EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2018/06/21 12:0 a.m.•30 views

Stored XSS in calendar via group shares (NC-SA-2018-004)

A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins...

3.5CVSS4.1AI score0.00609EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2017/05/08 12:0 a.m.•30 views

Share tokens for public calendars disclosed (NC-SA-2017-011)

A logical error caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token...

4.3CVSS3.4AI score0.01169EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2017/02/05 12:0 a.m.•30 views

Denial of Service attack (NC-SA-2017-004)

Due to an error in the application logic an authenticated adversary may trigger an endless recursion in the application leading to a potential Denial of Service...

4CVSS4.3AI score0.0123EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2017/02/05 12:0 a.m.•30 views

Error message discloses existence of file in write-only share (NC-SA-2017-003)

Due to an error in the application logic an adversary with access to a write-only share may enumerate the names of existing files and subfolders by comparing the exception messages...

4CVSS2.3AI score0.00899EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2016/07/19 12:0 a.m.•30 views

Stored XSS in "gallery" application (NC-SA-2016-001)

Due to a recent migration of the Gallery app to the new sharing endpoint a parameter changed from an integer to a string value. This value wasn't sanitized before and was thus now vulnerable to a Cross-Site-Scripting attack.To exploit this vulnerability an authenticated attacker has to share a...

3.5CVSS1.9AI score0.01373EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2023/08/10 7:10 a.m.•29 views

user_oidc app stores client secret unencrypted in database

None...

8.1CVSS7.9AI score0.00362EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2020/06/03 12:0 a.m.•29 views

New users can read all Nextcloud Deck data from previous user with same username (NC-SA-2021-007)

A logic error in Nextcloud Deck 1.0.1 allowed new users with a duplicate user identifier to use deck data of a previous deleted user...

4CVSS3.7AI score0.01339EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2019/10/22 12:0 a.m.•29 views

File-drop content is visible through the gallery app (NC-SA-2019-012)

Improper authorization in Nextcloud server 17.0.0 causes leaking of previews and files when a file-drop share link is opened via the gallery app...

4CVSS3.3AI score0.00915EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2019/04/12 12:0 a.m.•29 views

Improper access control checks for share expiration date (NC-SA-2019-002)

A missing check could give recipient the possibility to extend the expiration date of a share they received...

4CVSS2.3AI score0.00684EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2018/10/25 12:0 a.m.•30 views

Session fixation on public share page (NC-SA-2018-013)

A bug causing session fixation could potentially allow an attacker to obtain access to password protected shares...

3.6CVSS3.9AI score0.00545EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2018/06/21 12:0 a.m.•29 views

File access control rules not applied to image previews (NC-SA-2018-002)

A missing check for read permissions allowed users that received an incomming share containing files tagged so they should be denied access to still request a preview for those files...

4CVSS4.5AI score0.00888EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2017/05/08 12:0 a.m.•29 views

Stored XSS in Gallery application (NC-SA-2017-010)

A JavaScript library used by Nextcloud for sanitizing untrusted user-input suffered from a XSS vulnerability caused by a behaviour change in Safari 10.1 and 10.2.Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers...

3.5CVSS2.9AI score0.00643EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2017/02/05 12:0 a.m.•29 views

Permission increase on re-sharing via OCS API (NC-SA-2017-001)

A permission related issue within the OCS sharing API allowed an authenticated adversary to reshare shared files with an increasing permission set. This may allow an attacker to edit files in a share despite having only a 'read' permission set.Note that this only affects folders and files that th...

5.5CVSS4AI score0.00593EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2024/06/14 2:33 p.m.•28 views

Can access comments and attachments of deleted cards

None...

4.3CVSS5AI score0.00381EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2024/01/18 8:41 a.m.•28 views

Improper handling of request URLs in Guests app allows guest users to bypass app allowlist

None...

5.4CVSS5.6AI score0.0051EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2021/07/12 9:18 a.m.•28 views

Lack of ratelimit on shareinfo endpoint

None...

5.3CVSS5.4AI score0.01512EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2019/10/25 12:0 a.m.•28 views

Duplicate setup of second factor allowed (NC-SA-2020-006)

A missing check in Nextcloud Server 17.0.0 allowed an attacker to set up a new second factor when trying to login...

5.5CVSS2.8AI score0.00607EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2019/09/04 12:0 a.m.•28 views

Missing default timeout on HTTP requests (NC-SA-2020-005)

Dangling remote share attempts in Nextcloud 16 allow a DNS pollution when running long...

4CVSS1.7AI score0.00765EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2019/07/29 12:0 a.m.•28 views

Improper neutralization of item names in projects feature (NC-SA-2020-010)

Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project...

3.5CVSS3.7AI score0.0084EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2019/07/26 12:0 a.m.•28 views

Improper sanitization of HTML in directory names (NC-SA-2019-009)

Some basic HTML tags were rendered as Markup in directory names...

4.6CVSS0.5AI score0.00495EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2019/07/26 12:0 a.m.•28 views

Bypass lock protection in Android app (NC-SA-2019-008)

If an attacker has physical access to an Android smartphone without a screen lock, but with nextcloud installed and set up, they can circumvent the passcode protection by repeatedly opening and closing the app in a very short time...

2.1CVSS1.7AI score0.00385EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2016/10/10 12:0 a.m.•28 views

Content-Spoofing in "files" app (NC-SA-2016-010)

The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user...

5CVSS5.3AI score0.02972EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2025/12/05 7:57 a.m.•27 views

Calendar attachments of local files are offered to downloaded

None...

5.7CVSS5.2AI score0.00288EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2020/07/10 12:0 a.m.•27 views

Memory Leak in OCUtil.dll library in Desktop client can lead to DoS (NC-SA-2020-034)

A memory leak in the OCUtil.dll library used by Nextcloud Desktop Client 2.6.4 can lead to a DoS against the host system...

4.9CVSS1.3AI score0.00466EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2020/07/10 12:0 a.m.•27 views

Missing memory corruption protection on Windows release built (NC-SA-2020-035)

Missing ASLR and DEP protections in Nextcloud Desktop Client 2.6.4 for windows allowed to corrupt memory...

2.1CVSS2.9AI score0.00351EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2020/06/16 12:0 a.m.•27 views

Possible denial of service when entering a long password (NC-SA-2020-028)

Improper check of inputs in Preferred providers app 1.6.0 allowed to perform a denial of service attack when using a very long password...

5CVSS4.1AI score0.01316EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2019/10/06 12:0 a.m.•27 views

Removing emails from circles does not revoke access to shared items (NC-SA-2019-013)

Improper authorization in the Circles app 0.17.7 causes retaining access when an email address was removed from a circle...

4CVSS3.2AI score0.00831EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2019/03/26 12:0 a.m.•27 views

Reflected XSS in redirect of the Updater (NC-SA-2020-007)

Missing escaping of HTML in the Updater of Nextcloud 15.0.5 allowed a reflected XSS when starting the updater from a malicious location...

3.5CVSS0.8AI score0.00729EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2018/10/25 12:0 a.m.•27 views

Improper authentication on public shares (NC-SA-2018-012)

A missing access check could lead to continued access to password protected link shares when the owner had changed the password...

3.5CVSS3.3AI score0.00891EPSS
Exploits0Affected Software1
Total number of security vulnerabilities384