Possible denial of service when entering a long password (NC-SA-2020-028)

Improper check of inputs in Preferred providers app 1.6.0 allowed to perform a denial of service attack when using a very long password...

Increase random used for encryption (NC-SA-2020-023)

A too small set of random characters being used for encryption in Nextcloud Server 18.0.4 allowed decryption in shorter time than intended...

Password of share by mail is not hashed when given on the create share call (NC-SA-2020-026)

A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call...

New users can read all Nextcloud Deck data from previous user with same username (NC-SA-2021-007)

A logic error in Nextcloud Deck 1.0.1 allowed new users with a duplicate user identifier to use deck data of a previous deleted user...

Improper access control allows injecting tasks into other users decks (NC-SA-2020-022)

Improper access control in Nextcloud Deck 1.0.0 allowed an attacker to inject tasks into other users decks...

Code injection possible with malformed Nextcloud Talk chat commands (NC-SA-2020-021)

A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk command was added by an administrator...

Limit contacts photo uploading to images (NC-SA-2020-024)

A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars...

Missing permission check on resharing a board (NC-SA-2020-025)

Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permissions than they had themselves...

Mail app not verifying TLS host of mail servers (NC-SA-2020-020)

A missing verification of the TLS host in Nextcloud Mail 1.1.3 allowed a man in the middle attack...

XSS in Files PDF viewer (NC-SA-2020-019)

An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF...

Missing ownership check on remote wipe endpoint (NC-SA-2020-018)

An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint...

Code injection in Nextcloud Desktop Client for macOS (NC-SA-2020-016)

A code injection in Nextcloud Desktop Client 2.6.2 for macOS allowed to load arbitrary code when starting the client with DYLDINSERTLIBRARIES set in the enviroment...

Secure view shares can be downloaded by manipulating the URL (NC-SA-2020-015)

A missing access control check in Nextcloud Server 18.0.0 causes hide-download shares to be downloadable when appending /download to the URL...

SSRF protection bypass in calendar subscriptions (NC-SA-2020-014)

A missing check for IPv4 nested inside IPv6 in Nextcloud server 17.0.1 allowed a SSRF when subscribing to a malicious calendar URL...

Bypass lock protection in Android app (NC-SA-2020-004)

A wrong check for the system time in the Android App 3.9.0 causes a bypass of the lock protection when changing the time of the system to the past...

Workflow rules only check the file extension for the mimetype instead of the content (NC-SA-2020-002)

A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend their behaviour on the file extension when checking file mimetypes...

Missing sanitization in iOS App allows XSS (NC-SA-2020-003)

Missing sanitization in the iOS App 2.24.4 causes an XSS when opening malicious HTML files...

Login and token disclosure to other Nextcloud services (NC-SA-2019-017)

Violation of Secure Design Principles in the iOS App 2.23.0 causes the app to leak its login and token to other Nextcloud services when search e.g. for federated users or registering for push notifications...

Duplicate setup of second factor allowed (NC-SA-2020-006)

A missing check in Nextcloud Server 17.0.0 allowed an attacker to set up a new second factor when trying to login...

File-drop content is visible through the gallery app (NC-SA-2019-012)

Improper authorization in Nextcloud server 17.0.0 causes leaking of previews and files when a file-drop share link is opened via the gallery app...

Removing emails from circles does not revoke access to shared items (NC-SA-2019-013)

Improper authorization in the Circles app 0.17.7 causes retaining access when an email address was removed from a circle...

Missing default timeout on HTTP requests (NC-SA-2020-005)

Dangling remote share attempts in Nextcloud 16 allow a DNS pollution when running long...

Group admins can create users with IDs of system folders (NC-SA-2019-015)

Improper Input Validation in Nextcloud Server 15.0.7 allows group admins to create users with IDs of system folders...

Reflected XSS in svg logo generation (NC-SA-2019-018)

A reflected Cross-Site Scripting vunerability was discovered in the svg generation...

Name of private conversations leaked when linked via projects to a shared item (NC-SA-2020-011)

Improper access control in Nextcloud Talk 6.0.3 leaks the existance and the name of private conversations when linked them to another shared item via the projects feature...

Improper neutralization of item names in projects feature (NC-SA-2020-010)

Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project...

Improper neutralization of item names in projects feature (NC-SA-2020-008)

Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project...

Improper neutralization of item names in projects feature (NC-SA-2020-009)

Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project...

SQL injection in Android app content provider (NC-SA-2019-005)

The content provider of the app accepted arbitrary strings in the field list of the returned file list. This allowed an attacker to run harmful queries, destroying the local cache of the android app. The server data however was never in danger, so removing the account and setting it up again can...

Bypass lock protection in Android app (NC-SA-2019-004)

Creating a fake multi-account and aborting the process would redirect the user to the default account of the device without asking for the lock pattern if one was set up...

Improper check for access to application database (NC-SA-2018-015)

A too permissive check allowed an installed application that contained the Nextcloud client package name to obtain access to the database of the Nextcloud application. At time of disclosure there are no applications with in the Google Play Store that fullfill this requirement...

Improper sanitization of HTML in directory names (NC-SA-2019-009)

Some basic HTML tags were rendered as Markup in directory names...

Query restriction bypass on exposed FileContentProvider in Android app (NC-SA-2019-011)

Not strictly enough sanitization allowed an attacker to get content information from protected tables when using custom queries...

Bypass lock protection in Android app (NC-SA-2019-006)

If an attacker has physical access to an Android smartphone without a screen lock, but with nextcloud installed and set up, they can easily access the nextcloud-files even if the nextcloud app is locked with a fingerprint or pin...

Thumbnails of files leaked via Android content provider (NC-SA-2019-007)

If an attacker has physical access to an Android smartphone without a screen lock, but with nextcloud installed and set up, he can easily access the nextcloud-files even if the nextcloud app is locked with a fingerprint or pin...

SQL Injection in lookup-server (NC-SA-2019-010)

Improper sanitation of user input allowed any unauthenticated user to perform SQL injection attacks...

Bypass lock protection in Android app (NC-SA-2019-008)

If an attacker has physical access to an Android smartphone without a screen lock, but with nextcloud installed and set up, they can circumvent the passcode protection by repeatedly opening and closing the app in a very short time...

Renaming an item to a protected hidden folder deletes the target (NC-SA-2020-017)

Improper access control in Groupfolders app 4.0.3 allowed to delete hidden directories when when renaming an accessible item to the same name...

Server-Side request forgery in New-Subscription feature of the calendar app (NC-SA-2019-014)

An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and remote services when adding a new subscription in the calendar application...

Improper permission preservation on reshares (NC-SA-2020-012)

Improper permissions preservation in Nextcloud Server 16.0.1 causes sharees to be able to reshare with write permissions when sharing the mount point of a share they received, as a public link...

User IDs and Nextcloud server leaked to Nextcloud Lookup server with disabled settings (NC-SA-2019-016)

Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled...

Improper share updates could result in extended data access (NC-SA-2019-003)

A bug could expose more data in reshared link shares than intended by the sharer...

Improper access control checks for share expiration date (NC-SA-2019-002)

A missing check could give recipient the possibility to extend the expiration date of a share they received...

Classification of calendar events is ignored by the activity stream (NC-SA-2019-001)

A missing check revealed the name of confidential events and private events to all users of a shared calendar...

2FA sessions not properly expired on password change (NC-SA-2020-001)

A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset...

Reflected XSS in redirect of the Updater (NC-SA-2020-007)

Missing escaping of HTML in the Updater of Nextcloud 15.0.5 allowed a reflected XSS when starting the updater from a malicious location...

Event details leaked when sharing a non-public calendar event (NC-SA-2020-013)

Improper preservation of permissions in Nextcloud Server 14.0.3 causes the event details to be leaked when sharing a non-public event...

Session fixation on public share page (NC-SA-2018-013)

A bug causing session fixation could potentially allow an attacker to obtain access to password protected shares...

Improper authentication on public shares (NC-SA-2018-012)

A missing access check could lead to continued access to password protected link shares when the owner had changed the password...

Improper validation of permissions (NC-SA-2018-010)

Improper revalidation of permissions lead to not accepting access restrictions by acess tokens...