384 matches found
Delete permissions are not saved when creating public share
None...
Missing brute force protection on password confirmation modal
None...
Messages can still be seen on conversation after expiring when cron is misconfigured
None...
No password length restriction in reset password endpoint
None...
Download permissions can be changed by resharer
None...
Potential directory traversal in OC\Files\Node\Folder::getFullPath
None...
SSRF via filter bypass due to lax checking on IPs
None...
Missing rate limiting on password reset functionality allows sending lots of emails
None...
IDOR Vulnerability in Nextcloud Mail
None...
Previews are accessible without a watermark
None...
Document content of files can be obtained through Collabora for files of other users
None...
Mail app temporarily stores cleartext password in database until OAuth2 setup is done
None...
Blind SSRF via server URL input in the Nextcloud Mail app
None...
Self reflected HTML injection in Desktop client
None...
Passcode bypass on Talk Android app
None...
CSRF vulnerability in Nextcloud Desktop Client on Windows when clicking malicious link
None...
Possibility to delete files attached to deck cards of other users
None...
Missing character limitation allows to put generate a database error
None...
Deck card reference caching can leak data to unauthorized users
None...
Vulnerable moment-timezone version shipped
None...
Suspicious login app ships old league/flysystem version
None...
Guests can continue to receive video streams from call after being removed from a conversation
None...
Disabled download shares still allow download through preview images
None...
No password length limit when creating a user as an administrator
None...
Calendar name length not validated before writing to database
None...
nextcloudcmd incorrectly trusts bad TLS certificates
None...
XSS in Desktop Client in call notification popup
None...
XSS in Desktop Client via user status and information
None...
XSS in Desktop Client in the notifications
None...
Stored XSS via Authorization Endpoint - Safari-Only
None...
Cleartext Transmission of Sensitive Information in user_oidc
None...
Missing length validation of user displayname allows to generate an SQL error
None...
Talk Android broadcast receiver is not protected by broadcastPermission allowing malicious apps to communicate
None...
Desktop client can be tricked into opening/executing local files when clicking a nc://open/ link
None...
Exception logging in Sharepoint app reveals clear-text connection details
None...
Profile of disabled user stays accessible
None...
Database resource exhaustion for logged-in users via sharee recommendations with circles
None...
Last video frame is still sent after video is disabled in a call
None...
Server-Side Request Forgery (SSRF) via potential filter bypass with too lax local domain checking
None...
Access to internal files of the Nextcloud Android app from within the Nextcloud Android app
None...
Listing folder content blocked by files access control when received as share
None...
Authentication header is passed on by Nextcloud Server due to a vulnerable GuzzleHTTP version
None...
Generated passwords are not fully validated by HIBPValidator
None...
Missing rate limit when trying to join a password protected Nextcloud Talk conversation
None...
Unauthenticated SSRF in 3rd party module "cerdic/csstidy"
None...
Missing brute force protection on cloud federation sharing
None...
Password disclosure in log file when providing incorrect additional data on initial setup of Mail App
None...
Federated share accepting/declining is not logged in audit log
None...
Ownership check missing when updating or deleting mail attachments
None...
SMTP Command Injection in iCalendar Attachments to emails via newlines
None...