Bypass of image blocking in Nextcloud Mail

None...

Lack of ratelimit on public DAV endpoint

None...

Lack of ratelimit on shareinfo endpoint

None...

Nextcloud Talk not properly disassociating users from chats after account deletion

None...

Application specific tokens can change their own scope

None...

Audit log is not properly logging unsetting of share expiration date

None...

Filenames not escaped by default in controllers using DownloadResponse

None...

Ratelimit not applied on OCS API responses

None...

Malicious Android app could access Shared Preferences of the Nextcloud Android client

None...

Malicious Android application can crash the Nextcloud Android Client

None...

Session Fixation in Nextcloud Talk

None...

Sensitive data may not be removed from storage on account removal

None...

Malicious user could break user administration page

None...

Default Nextcloud Server and iOS Client leak sharee searches to Nextcloud

None...

Trusted servers exchange can be triggered by attacker

None...

Attacker can obtain write access to any federated share/public link

None...

Files Drop public link can be added as federated share

None...

Default settings leak federated cloud ID to lookup server of all users

None...

End to end encryption folder locking is not properly protected

None...

Missing permission check on email metadata retrieval

None...

Default Nextcloud Server and Android Client leak sharee searches to Nextcloud

None...

Ratelimiting can be bypassed using IPv6 subnets

None...

Nextcloud deck sharee search leaks searches to lookupserver by default

None...

SSL certificate was not validated in Provider Registration Flow

None...

Alias creation did not validate account ID

None...

Missing URL validation allowed RCE for the server on the Desktop client (NC-SA-2021-008)

Missing validation of URLs in Nextcloud Desktop Client 3.1.2 and earlier allowed a malicious server to execute code on the client. User interaction was required...

External storage credentials stored for wrong user (NC-SA-2021-004)

A missing user check in Nextcloud 20.0.5 and prior allowed to populate your own credentials for other users external storage configuration when they did not configure one yet...

Reflected XSS when renaming malicious file (NC-SA-2021-005)

Missing sanitization in Nextcloud Server 20.0.5 and prior allowed to perform a reflected XSS when saving html as file name and causing an error on rename e.g. by renaming to an existing file. The risk is mostly mitigated due to the strict Content-Security-Policy CSP of Nextcloud, and thus mainly...

Stored XSS in markdown file with Nextcloud Talk using Internet Explorer (NC-SA-2021-002)

A missing link validation in Nextcloud Server 20.0.1 allowed to execute a stored XSS attack on Internet Explorer users by saving a javascript url in a Markdown...

Potential DDoS when posting long data into workflow validation rules (NC-SA-2021-001)

A missing input validation in Nextcloud Server 20.0.1 allowed users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules...

XSS through image upload of contacts using svg file (NC-SA-2020-045)

A missing file type check in Nextcloud Contacts 3.3.0 allowed a malicious user to upload malicious SVG files to perform XSS attacks...

XSS through image upload on contacts using svg file with png extension (NC-SA-2020-044)

A missing file type check in Nextcloud Contacts 3.4.0 allowed a malicious user to upload SVG files as PNG files to perform XSS attacks...

Improper access control to messages of Social app (NC-SA-2020-042)

Improper access control in Social app 0.3.1 allowed to read posts of any user...

Social App does not validate server certificates for outgoing connections (NC-SA-2020-043)

Missing validation of server certificates for out-going connections allowed a man-in-the-middle attack...

External storage app saves password for all users in the database (NC-SA-2021-006)

A missing condition in Nextcloud Server 19 and prior caused the external storage app to always store the users password in a recoverable format...

Improper integrity protection of server-side encryption keys (NC-SA-2020-041)

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the encryption keys...

Improper confidentiality protection of server-side encryption keys (NC-SA-2020-040)

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the public key to decrypt them later on...

Denial of Service by requesting to reset a password (NC-SA-2021-003)

A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user...

Message Authentication Codes calculated by the Default Encryption Module allow an attacker to silently overwrite blocks in a file (NC-SA-2020-038)

A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file...

Downgrade encryption scheme and break integrity through known-plaintext attack (NC-SA-2020-039)

A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files...

PIN for passwordless WebAuthn is asked for but not verified (NC-SA-2020-037)

A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless WebAuthn is also a two factor verification by asking for the PIN of the passwordless WebAuthn but not verifying it...

Missing rate limit on signup page (NC-SA-2020-033)

A missing rate limit in the Preferred Providers app 1.7.0 allowed an attacker to set the password an uncontrolled amount of times...

Re-Sharing allows increase of privileges (NC-SA-2020-029)

A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to reshare with higher permissions than they got assigned themselves...

Access control missing while viewing the attachments in the 'All boards' (NC-SA-2020-036)

Missing access control in Nextcloud Deck 1.0.4 caused an insecure direct object reference allowing an attacker to view all attachments...

Clear text storage of proxy parameters and passwords (NC-SA-2020-031)

A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials...

Linux client is vulnerable to directory traversal when downloading files (NC-SA-2020-032)

Missing sanitization of a server response in Nextcloud Desktop Client 2.6.4 for Linux allowed a malicious Nextcloud Server to store files outside of the dedicated sync directory...

Arbitrary code execution in desktop client via OpenSSL config (NC-SA-2020-030)

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL config into a fixed directory...

XSS in desktop client via invalid server address on login form (NC-SA-2020-027)

A cross-site scripting error in Nextcloud Desktop client 2.6.4 allowed to present any html including local links when responding with invalid data on the login attempt...

Memory Leak in OCUtil.dll library in Desktop client can lead to DoS (NC-SA-2020-034)

A memory leak in the OCUtil.dll library used by Nextcloud Desktop Client 2.6.4 can lead to a DoS against the host system...

Missing memory corruption protection on Windows release built (NC-SA-2020-035)

Missing ASLR and DEP protections in Nextcloud Desktop Client 2.6.4 for windows allowed to corrupt memory...