Contacts - PHOTO svg only sanitized if mime type is all lower case

None...

Command Injection in Appointment Emails for Calendar

None...

Unauthenticated SSRF in 3rd party module "cerdic/csstidy"

None...

Attacker can obtain write access to any federated share/public link

None...

Potential directory traversal in OC\Files\Node\Folder::getFullPath

None...

Default share permissions not respected for federated reshares

None...

Blind SSRF via server URL input in the Nextcloud Mail app

None...

Application specific tokens can change their own scope

None...

Can reshare read&share only folder with more permissions

None...

Password reset endpoint is not brute force protected

None...

CSRF vulnerability in Nextcloud Desktop Client on Windows when clicking malicious link

None...

Suspicious login app ships old league/flysystem version

None...

XSS in Files PDF viewer (NC-SA-2020-019)

An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF...

Document content of files can be obtained through Collabora for files of other users

None...

Folder names of "File Drop" share accessible

None...

XSS through image upload on contacts using svg file with png extension (NC-SA-2020-044)

A missing file type check in Nextcloud Contacts 3.4.0 allowed a malicious user to upload SVG files as PNG files to perform XSS attacks...

Previews are accessible without a watermark

None...

CSRF protection on user_oidc login returned the expected token in case of an error

None...

Chat poll data can still be queried from API after purging history of a chat converstion

None...

Mail app temporarily stores cleartext password in database until OAuth2 setup is done

None...

Missing User Presence Check in Nextcloud WebAuthn login

None...

File Traversal affecting SVG files on Nextcloud Server

None...

User enumeration setting not obeyed in User Status API

None...

Bruteforce protection can be bypassed with misconfigured proxy

None...

user_oidc app is missing bruteforce protection

None...

IDOR Vulnerability in Nextcloud Mail

None...

DNS pin middleware can be tricked into DNS rebinding allowing SSRF

None...

Moderator can enable cam/mic remotely if cam/mic-permission was disabled while user has activated cam/mic

None...

Path traversal allows tricking the Talk Android app into writing files into it's root directory

None...

Passcode bypass on Talk Android app

None...

Lack of ratelimit on Richdocuments OCS endpoint

None...

Rate-limits not working on instances without configured memory cache backend

None...

Session Fixation in Nextcloud Talk

None...

Login and token disclosure to other Nextcloud services (NC-SA-2019-017)

Violation of Secure Design Principles in the iOS App 2.23.0 causes the app to leak its login and token to other Nextcloud services when search e.g. for federated users or registering for push notifications...

Access to internal files of the Nextcloud Android app from within the Nextcloud Android app

None...

Nextcloud Text app can disclose existence of folders in "File Drop" link share

None...

Possibility to delete files attached to deck cards of other users

None...

Geolocation preview links can be set to arbitrary links

None...

Deck shared with a Circle can be accessed by non-Circle members

None...

Stored XSS via Authorization Endpoint - Safari-Only

None...

Permission bypass in DiskLruImageCacheFileProvider (GHSL-2021-1008)

None...

Error in calendar when booking an appointment reveals the full path of the website

None...

Preview generation used third-party library not suited for user-generated content

None...

Default settings leak federated cloud ID to lookup server of all users

None...

SQL injection in Android app content provider (NC-SA-2019-005)

The content provider of the app accepted arbitrary strings in the field list of the returned file list. This allowed an attacker to run harmful queries, destroying the local cache of the android app. The server data however was never in danger, so removing the account and setting it up again can...

Users can make external storage mount points inaccessible for other users

None...

Talk Android broadcast receiver is not protected by broadcastPermission allowing malicious apps to communicate

None...

High memory usage for generating preview of broken image

None...

When sharing a Deck card in conversation the metaData can be manipulated to open arbitrary URL

None...

Notification implicit PendingIntent in com.nextcloud.client allows to access contacts

None...