384 matches found
XSS in SVG images when opened outside of Nextcloud
None...
Propfind requests for file comments allowed to load comments for other files
None...
Two-Factor Authentication Bypass via Pending Session Token Replay
None...
Hidden Public Link creation when sharing to a Team External Member
None...
View-only guests could see deleted Collectives pages in the trashbin
None...
Tables app share information not limited to relevant users
None...
Bypass group folder quota limit using attachment in text file
None...
3rdparty applications can create share links via socket API
None...
Missing permission check for reading form submissions
None...
ACL Rename Permission Bypass in Team Folders Allows Unauthorized File Renames
None...
Users can modify tags on files that do not belong to them
None...
Test remote endpoint is not rate limited
None...
Improper validation of data passed to JSON encoder (NC-SA-2018-006)
Improper validation of input allowed an attacker to not have their actions logged to the audit log...
Private circle can be added to another circle via API
None...
Wrong condition in the User OIDC app's LdapService allowed deleted LDAP users to authenticate
None...
Unauthorized force-mute from missing permission check when using internal signaling
None...
Mail stored HTML injection in subject text
None...
Deck app allowed user with "Can share" permission to modify permissions of other non-owners
None...
Cross-Account Calendar Takeover via Unauthorized Group-Member-Set Update
None...
Limited path traversal via template API if using `{lang}` in config
None...
Authorization bypass in approval feature allows unauthorized file sharing with approvers
None...
Missing ownership check in Tables app allows moving columns into tables of other users
None...
Calendar app leaked user identifiers via attendee suggestion endpoint
None...
Files Lock app allows users to lock and unlock files of other users
None...
Approval app allows users to request approval for other users file
None...
admin_audit does not log all actions on files in groupfolders
None...
Stored XSS in contacts app via organisation and title field
None...
Calendar app used predictable proposal participant tokens
None...
Contacts search allowed users to retrieve contact information of other users beyond their contact list
None...
Users with read-only permissions for team folder can restore deleted files from trash bin
None...
Information disclosure via Desktop client when attempting to lock a file inside a end-to-end encrypted directory
None...
WebAuthn app was updated based on public key
None...
Participants were able to blindly delete poll drafts of other users by ID
None...
Development files shipped in files_pdfviewer app
None...