Improper access control checks for single share previews (NC-SA-2018-014)

A missing check could give unauthorized access to the previews of single file password protected shares...

Second factor authentication bypassed if provider fails to load (NC-SA-2018-011)

Missing state would not enforce the use of a second factor at login if the the provider of the second factor failed to load...

Stored XSS in autocomplete suggestions for chat @-mentions (NC-SA-2018-009)

A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users...

Stored XSS in autocomplete suggestions for file comments (NC-SA-2018-008)

A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users...

Improper validation of data passed to JSON encoder (NC-SA-2018-006)

Improper validation of input allowed an attacker to not have their actions logged to the audit log...

Bypass of 2 Factor Authentication (NC-SA-2018-007)

Improper authentication of the second factor challenge would allow an attacker that had access to user credentials to bypass the second factor validation completely...

File access control rules not applied to image previews (NC-SA-2018-002)

A missing check for read permissions allowed users that received an incomming share containing files tagged so they should be denied access to still request a preview for those files...

Improper validation on OAuth2 token endpoint (NC-SA-2018-003)

Improper validation of input allowed an attacker with access to the OAuth2 refresh token to obtain new tokens...

Stored XSS in calendar via group shares (NC-SA-2018-004)

A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins...

Stored XSS in contacts via group shares (NC-SA-2018-005)

A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins...

App password scope can be changed for other users (NC-SA-2018-001)

A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user...

Reflected XSS in error pages (NC-SA-2017-008)

Inadequate escaping of error messages leads to XSS vulnerabilities in multiple components.Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers...

Calendar and addressbook names disclosed (NC-SA-2017-012)

A logical error caused disclosure of calendar and addressbook names to other logged-in users. Note that no actual content of the calendar and adressbook has been disclosed...

Share tokens for public calendars disclosed (NC-SA-2017-011)

A logical error caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token...

Limitation of app specific password scope can be bypassed (NC-SA-2017-009)

Improper session handling allowed an application specific password without permission to the files access to the users file...

Stored XSS in Gallery application (NC-SA-2017-010)

A JavaScript library used by Nextcloud for sanitizing untrusted user-input suffered from a XSS vulnerability caused by a behaviour change in Safari 10.1 and 10.2.Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers...

DOM XSS vulnerability in search dialogue (NC-SA-2017-007)

Inadequate escaping lead to XSS vulnerability in the search module. To be exploitable an user has to write or paste malicious content into the search dialogue...

Content-Spoofing in "files" app (NC-SA-2017-006)

The top navigation bar displayed in the files list contained partially user-controllable input leading to a potential misrepresentation of information...

Bypassing quota limitation (NC-SA-2017-005)

Due to not properly sanitzing values provided by the OC-Total-Length HTTP header an authenticated adversary may be able to exceed their configured user quota. Thus using more space than allowed by the administrator...

Creation of folders in read-only folders despite lacking permissions (NC-SA-2017-002)

Due to a logical error in the file caching layer an authenticated adversary is able to create empty folders inside a shared folder.Note that this only affects folders and files that the adversary has at least read-only permissions for...

Denial of Service attack (NC-SA-2017-004)

Due to an error in the application logic an authenticated adversary may trigger an endless recursion in the application leading to a potential Denial of Service...

Permission increase on re-sharing via OCS API (NC-SA-2017-001)

A permission related issue within the OCS sharing API allowed an authenticated adversary to reshare shared files with an increasing permission set. This may allow an attacker to edit files in a share despite having only a 'read' permission set.Note that this only affects folders and files that th...

Error message discloses existence of file in write-only share (NC-SA-2017-003)

Due to an error in the application logic an adversary with access to a write-only share may enumerate the names of existing files and subfolders by comparing the exception messages...

Improper authorization check on removing shares (NC-SA-2016-007)

The Sharing Backend as implemented in Nextcloud does differentiate between shares to users and groups. In case of a received group share, users should be able to unshare the file to themselves but not to the whole group. The previous API implementation did simply unshare the file to all users in...

Content-Spoofing in "files" app (NC-SA-2016-010)

The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user...

SMB User Authentication Bypass (NC-SA-2016-006)

Nextcloud includes an optional and not by default enabled SMB authentication component that allows to authenticate users against an SMB server.This backend is implemented in a way that it tries to connect to a SMB server and if that succeeded consider the user logged-in.The backend did not proper...

Stored XSS in CardDAV image export (NC-SA-2016-008)

The CardDAV image export functionality as implemented in Nextcloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.Note: Nextcloud employs a very strict Content Security...

Content-Spoofing in "dav" app (NC-SA-2016-011)

The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information...

Reflected XSS in Gallery application (NC-SA-2016-009)

The gallery app was not properly sanitizing exception messages from the Nextcloud server. Due to an endpoint where an attacker could influence the error message this lead to a reflected Cross-Site-Scripting vulnerability...

Edit permission check not enforced on WebDAV COPY action (NC-SA-2016-004)

The WebDAV endpoint was not properly checking the permission on a WebDAV "COPY" action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files...

Log pollution can potentially lead to local HTML injection (NC-SA-2016-002)

The "download log" functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the...

Read-only share recipient can restore old versions of file (NC-SA-2016-005)

The restore capability of Nextcloud was not verifying whether an user has only read-only access to a share. Thus an user with read-only access was able to restore old versions...

Content-Spoofing in "files" app (NC-SA-2016-003)

The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user...

Stored XSS in "gallery" application (NC-SA-2016-001)

Due to a recent migration of the Gallery app to the new sharing endpoint a parameter changed from an integer to a string value. This value wasn't sanitized before and was thus now vulnerable to a Cross-Site-Scripting attack.To exploit this vulnerability an authenticated attacker has to share a...