Bypass lock protection in Android app (NC-SA-2019-008)

If an attacker has physical access to an Android smartphone without a screen lock, but with nextcloud installed and set up, they can circumvent the passcode protection by repeatedly opening and closing the app in a very short time...

Session fixation on public share page (NC-SA-2018-013)

A bug causing session fixation could potentially allow an attacker to obtain access to password protected shares...

File access control rules not applied to image previews (NC-SA-2018-002)

A missing check for read permissions allowed users that received an incomming share containing files tagged so they should be denied access to still request a preview for those files...

Stored XSS in Gallery application (NC-SA-2017-010)

A JavaScript library used by Nextcloud for sanitizing untrusted user-input suffered from a XSS vulnerability caused by a behaviour change in Safari 10.1 and 10.2.Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers...

Permission increase on re-sharing via OCS API (NC-SA-2017-001)

A permission related issue within the OCS sharing API allowed an authenticated adversary to reshare shared files with an increasing permission set. This may allow an attacker to edit files in a share despite having only a 'read' permission set.Note that this only affects folders and files that th...

Content-Spoofing in "files" app (NC-SA-2016-010)

The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user...

Stored XSS in "gallery" application (NC-SA-2016-001)

Due to a recent migration of the Gallery app to the new sharing endpoint a parameter changed from an integer to a string value. This value wasn't sanitized before and was thus now vulnerable to a Cross-Site-Scripting attack.To exploit this vulnerability an authenticated attacker has to share a...

Improper handling of request URLs in Guests app allows guest users to bypass app allowlist

None...

HTML injection in search UI when selecting a circle with HTML in the display name

None...

Missing brute force protection on password confirmation modal

None...

Calendar name length not validated before writing to database

None...

nextcloudcmd incorrectly trusts bad TLS certificates

None...

Improper sanitization of HTML in directory names (NC-SA-2019-009)

Some basic HTML tags were rendered as Markup in directory names...

Improper authentication on public shares (NC-SA-2018-012)

A missing access check could lead to continued access to password protected link shares when the owner had changed the password...

End-to-End encrypted file-drops can be made inaccessible

None...

Database resource exhaustion for logged-in users via sharee recommendations with circles

None...

Lack of ratelimit on public share link mount endpoint

None...

Lack of ratelimit on shareinfo endpoint

None...

Ratelimit not applied on OCS API responses

None...

Memory Leak in OCUtil.dll library in Desktop client can lead to DoS (NC-SA-2020-034)

A memory leak in the OCUtil.dll library used by Nextcloud Desktop Client 2.6.4 can lead to a DoS against the host system...

Missing memory corruption protection on Windows release built (NC-SA-2020-035)

Missing ASLR and DEP protections in Nextcloud Desktop Client 2.6.4 for windows allowed to corrupt memory...

Possible denial of service when entering a long password (NC-SA-2020-028)

Improper check of inputs in Preferred providers app 1.6.0 allowed to perform a denial of service attack when using a very long password...

Limit contacts photo uploading to images (NC-SA-2020-024)

A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars...

SSRF protection bypass in calendar subscriptions (NC-SA-2020-014)

A missing check for IPv4 nested inside IPv6 in Nextcloud server 17.0.1 allowed a SSRF when subscribing to a malicious calendar URL...

File-drop content is visible through the gallery app (NC-SA-2019-012)

Improper authorization in Nextcloud server 17.0.0 causes leaking of previews and files when a file-drop share link is opened via the gallery app...

Removing emails from circles does not revoke access to shared items (NC-SA-2019-013)

Improper authorization in the Circles app 0.17.7 causes retaining access when an email address was removed from a circle...

Renaming an item to a protected hidden folder deletes the target (NC-SA-2020-017)

Improper access control in Groupfolders app 4.0.3 allowed to delete hidden directories when when renaming an accessible item to the same name...

Improper access control checks for share expiration date (NC-SA-2019-002)

A missing check could give recipient the possibility to extend the expiration date of a share they received...

Reflected XSS in redirect of the Updater (NC-SA-2020-007)

Missing escaping of HTML in the Updater of Nextcloud 15.0.5 allowed a reflected XSS when starting the updater from a malicious location...

Stored XSS in autocomplete suggestions for file comments (NC-SA-2018-008)

A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users...

Bypassing quota limitation (NC-SA-2017-005)

Due to not properly sanitzing values provided by the OC-Total-Length HTTP header an authenticated adversary may be able to exceed their configured user quota. Thus using more space than allowed by the administrator...

Content-Spoofing in "dav" app (NC-SA-2016-011)

The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information...

Edit permission check not enforced on WebDAV COPY action (NC-SA-2016-004)

The WebDAV endpoint was not properly checking the permission on a WebDAV "COPY" action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files...

Can access comments and attachments of deleted cards

None...

Event create can create attachments that link to other websites

None...

ID4me feature of OpenID connect app available even when disabled

None...

Missing rate limiting on password reset functionality allows sending lots of emails

None...

Exception logging in Sharepoint app reveals clear-text connection details

None...

Improper access control to messages of Social app (NC-SA-2020-042)

Improper access control in Social app 0.3.1 allowed to read posts of any user...

New users can read all Nextcloud Deck data from previous user with same username (NC-SA-2021-007)

A logic error in Nextcloud Deck 1.0.1 allowed new users with a duplicate user identifier to use deck data of a previous deleted user...

Thumbnails of files leaked via Android content provider (NC-SA-2019-007)

If an attacker has physical access to an Android smartphone without a screen lock, but with nextcloud installed and set up, he can easily access the nextcloud-files even if the nextcloud app is locked with a fingerprint or pin...

Event details leaked when sharing a non-public calendar event (NC-SA-2020-013)

Improper preservation of permissions in Nextcloud Server 14.0.3 causes the event details to be leaked when sharing a non-public event...

Stored XSS in autocomplete suggestions for chat @-mentions (NC-SA-2018-009)

A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users...

App password scope can be changed for other users (NC-SA-2018-001)

A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user...

Bypass of second factor authentication on DAV endpoints by reusing a pre-2FA session ID

None...

Missing password confirmation when changing external storage options

None...

Link reference provider can be tricked into downloading bigger files than intended

None...

Admins can change authentication details of user configured external storage

None...

Download permissions can be changed by resharer

None...

SMTP Command Injection in iCalendar Attachments to emails via newlines

None...