End-to-end encryption device setup did not verify public key

None...

Improper neutralization of item names in projects feature (NC-SA-2020-009)

Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project...

Bypass lock protection in Android app (NC-SA-2019-004)

Creating a fake multi-account and aborting the process would redirect the user to the default account of the device without asking for the lock pattern if one was set up...

Improper access control checks for single share previews (NC-SA-2018-014)

A missing check could give unauthorized access to the previews of single file password protected shares...

DOM XSS vulnerability in search dialogue (NC-SA-2017-007)

Inadequate escaping lead to XSS vulnerability in the search module. To be exploitable an user has to write or paste malicious content into the search dialogue...

Stored XSS in CardDAV image export (NC-SA-2016-008)

The CardDAV image export functionality as implemented in Nextcloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.Note: Nextcloud employs a very strict Content Security...

Shares are not removed when user is limited to share with in their groups and being removed from one of them

None...

Incomplete sanitization of SVG files allows to embed other images into previews

None...

Potential hash collision for background jobs could skip queuing them

None...

Read-only users can restore old versions

None...

Calendar app returns full stacktrace when an error happens while editing appointment

None...

Require strict cookies for image proxy requests

None...

Ownership check missing when updating or deleting mail attachments

None...

Social App does not validate server certificates for outgoing connections (NC-SA-2020-043)

Missing validation of server certificates for out-going connections allowed a man-in-the-middle attack...

Improper access control allows injecting tasks into other users decks (NC-SA-2020-022)

Improper access control in Nextcloud Deck 1.0.0 allowed an attacker to inject tasks into other users decks...

Share information of Tables app is not limited to affected users

None...

Improper check for access to application database (NC-SA-2018-015)

A too permissive check allowed an installed application that contained the Nextcloud client package name to obtain access to the database of the Nextcloud application. At time of disclosure there are no applications with in the Google Play Store that fullfill this requirement...

Improper authorization check on removing shares (NC-SA-2016-007)

The Sharing Backend as implemented in Nextcloud does differentiate between shares to users and groups. In case of a received group share, users should be able to unshare the file to themselves but not to the whole group. The previous API implementation did simply unshare the file to all users in...

Desktop client created folders with world-readable and world-writable permissions on Linux

None...

Attachments folder for Text app is accessible on "Files drop" and "Password protected" shares

None...

Mail auto configurator sends account information to `autoconfig.tld` server when no auto-configuration is possible

None...

user_ldap app logs user passwords in the log file on level debug

None...

Desktop client behaves incorrectly if the initial end-to-end-encryption signature is empty

None...

Open redirection when logging in with User OIDC

None...

ID4me does not validate signature or expiration

None...

Bypass lock protection in Android app (NC-SA-2020-004)

A wrong check for the system time in the Android App 3.9.0 causes a bypass of the lock protection when changing the time of the system to the past...

Bypass of 2 Factor Authentication (NC-SA-2018-007)

Improper authentication of the second factor challenge would allow an attacker that had access to user credentials to bypass the second factor validation completely...

User can copy folder that contain files that are blocked by the files access control

None...

Issuer not verified from obtained token in user_oidc

None...

Valid share tokens allow to access tempory upload files of share owner

None...

OAuth2 client secrets were stored in a recoverable way

None...

Second factor not requested after session timeout

None...

Bypass group folder quota limit using attachment in text file

None...

3rdparty applications can create share links via socket API

None...

Authorization Bypass Through User-Controlled Key in Tables

None...

User password is available in memory of the PHP process

None...

Tables app allows limited SQLi in ORDER BY with malicious sort order argument for Table Views

None...

Authentication Bypass in ID4me handling via Missing JWT Signature Verification in User OIDC

None...

XSS in SVG images when opened outside of Nextcloud

None...

Improper validation of data passed to JSON encoder (NC-SA-2018-006)

Improper validation of input allowed an attacker to not have their actions logged to the audit log...

Deleting a Forms collaborator share leaves uploaded response files accessible through a lingering Files share

None...

Information Disclosure of view filter metadata via Broken Sensitive Data Masking in ViewService

None...

View-only guests could see deleted Collectives pages in the trashbin

None...

fileId parameter reveals workflow associations in Nextcloud Approval app

None...

Calendar attachments of local files are offered to downloaded

None...

Test remote endpoint is not rate limited

None...

Propfind requests for file comments allowed to load comments for other files

None...

Hidden Public Link creation when sharing to a Team External Member

None...

Wrong condition in the User OIDC app's LdapService allowed deleted LDAP users to authenticate

None...

Open Redirect in user_oidc login flow via protocol-relative URL bypass

None...