VYPR

Vendor CVEs

Nextcloud

All CVEs

330 total · sorted by risk
  • CVE-2021-32695Jun 17, 2021
    risk 0.00cvss epss 0.01

    Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.16.1, a malicious app on the same device could have gotten access to the shared preferences of the Nextcloud Android application. This required user-interaction as a victim had to initiate the…

  • CVE-2021-22906Jun 11, 2021
    risk 0.00cvss epss 0.01

    Nextcloud End-to-End Encryption before 1.5.3, 1.6.3 and 1.7.1 suffers from a denial of service vulnerability due to permitting any authenticated users to lock files of other users.

  • CVE-2021-22905Jun 11, 2021
    risk 0.00cvss epss 0.01

    Nextcloud Android App (com.nextcloud.client) before v3.16.0 is vulnerable to information disclosure due to searches for sharees being performed by default on the lookup server instead of only using the local Nextcloud server unless a global search has been explicitly chosen by…

  • CVE-2021-22915Jun 11, 2021
    risk 0.00cvss epss 0.02

    Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such as the Nextcloud brute-force protection.

  • CVE-2021-22896Jun 11, 2021
    risk 0.00cvss epss 0.01

    Nextcloud Mail before 1.9.5 suffers from improper access control due to a missing permission check allowing other authenticated users to create mail aliases for other users.

  • CVE-2021-22913Jun 11, 2021
    risk 0.00cvss epss 0.01

    Nextcloud Deck before 1.2.7, 1.4.1 suffers from an information disclosure vulnerability when searches for sharees utilize the lookup server by default instead of only the local Nextcloud server unless a global search has been explicitly chosen by the user.

  • CVE-2021-25413Jun 11, 2021
    risk 0.00cvss epss 0.00

    Improper sanitization of incoming intent in Samsung Contacts prior to SMR JUN-2021 Release 1 allows local attackers to get permissions to access arbitrary data with Samsung Contacts privilege.

  • CVE-2021-25414Jun 11, 2021
    risk 0.00cvss epss 0.00

    Improper sanitization of incoming intent in Samsung Contacts prior to SMR JUN-2021 Release 1 allows local attackers to copy or overwrite arbitrary files with Samsung Contacts privilege.

  • CVE-2021-32658Jun 8, 2021
    risk 0.00cvss epss 0.00

    Nextcloud Android is the Android client for the Nextcloud open source home cloud system. Due to a timeout issue the Android client may not properly clean all sensitive data on account removal. This could include sensitive key material such as the End-to-End encryption keys. It…

  • CVE-2021-32657Jun 1, 2021
    risk 0.00cvss epss 0.02

    Nextcloud Server is a Nextcloud package that handles data storage. In versions of Nextcloud Server prior to 10.0.11, 20.0.10, and 21.0.2, a malicious user may be able to break the user administration page. This would disallow administrators to administrate users on the Nextcloud…

  • CVE-2021-32656Jun 1, 2021
    risk 0.00cvss epss 0.02

    Nextcloud Server is a Nextcloud package that handles data storage. A vulnerability in federated share exists in versions prior to 19.0.11, 20.0.10, and 21.0.2. An attacker can gain access to basic information about users of a server by accessing a public link that a legitimate…

  • CVE-2021-32655Jun 1, 2021
    risk 0.00cvss epss 0.01

    Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to convert a Files Drop link to a federated share. This causes an issue on the UI side of the sharing user. When the sharing user opens the…

  • CVE-2021-32654Jun 1, 2021
    risk 0.00cvss epss 0.02

    Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be…

  • CVE-2021-32653Jun 1, 2021
    risk 0.00cvss epss 0.01

    Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 send user IDs to the lookup server even if the user has no fields set to published. The vulnerability is patched in versions 19.0.11, 20.0.10, and…

  • CVE-2021-32652Jun 1, 2021
    risk 0.00cvss epss 0.01

    Nextcloud Mail is a mail app for the Nextcloud platform. A missing permission check in Nextcloud Mail before 1.4.3 and 1.8.2 allows another authenticated users to access mail metadata of other users. Versions 1.4.3 and 1.8.2 contain patches for this vulnerability; no workarounds…

  • CVE-2021-29438Apr 13, 2021
    risk 0.00cvss epss 0.01

    The Nextcloud dialogs library (npm package @nextcloud/dialogs) before 3.1.2 insufficiently escaped text input passed to a toast. If your application displays toasts with user-supplied input, this could lead to a XSS vulnerability. The vulnerability has been patched in version…

  • CVE-2020-8296Mar 3, 2021
    risk 0.00cvss epss 0.01

    Nextcloud Server prior to 20.0.0 stores passwords in a recoverable format even when external storage is not configured.

  • CVE-2021-22878Mar 3, 2021
    risk 0.00cvss epss 0.01

    Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in `OC.Notification.show`.

  • CVE-2021-22877Mar 3, 2021
    risk 0.00cvss epss 0.02

    A missing user check in Nextcloud prior to 20.0.6 inadvertently populates a user's own credentials for other users external storage configuration when not already configured yet.

  • CVE-2020-8297Feb 23, 2021
    risk 0.00cvss epss 0.01

    Nextcloud Deck before 1.0.2 suffers from an insecure direct object reference (IDOR) vulnerability that permits users with a duplicate user identifier to access deck data of a previous deleted user.

  • CVE-2020-8294Feb 3, 2021
    risk 0.00cvss epss 0.01

    A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format.

  • CVE-2020-8295Jan 26, 2021
    risk 0.00cvss epss 0.02

    A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user.

  • CVE-2020-8293Jan 26, 2021
    risk 0.00cvss epss 0.02

    A missing input validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules.

  • CVE-2020-8280Jan 6, 2021
    risk 0.00cvss epss 0.01

    A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to perform cross-site scripting (XSS) attacks.

  • CVE-2020-8281Jan 6, 2021
    risk 0.00cvss epss 0.01

    A missing file type check in Nextcloud Contacts 3.3.0 allows a malicious user to upload malicious SVG files to perform cross-site scripting (XSS) attacks.

  • CVE-2020-8278Nov 19, 2020
    risk 0.00cvss epss 0.01

    Improper access control in Nextcloud Social app version 0.3.1 allowed to read posts of any user.

  • CVE-2020-8279Nov 19, 2020
    risk 0.00cvss epss 0.01

    Missing validation of server certificates for out-going connections in Nextcloud Social < 0.4.0 allowed a man-in-the-middle attack.

  • CVE-2020-8259Nov 16, 2020
    risk 0.00cvss epss 0.01

    Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the encryption keys.

  • CVE-2020-8152Nov 16, 2020
    risk 0.00cvss epss 0.00

    Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the public key to decrypt them later on.

  • CVE-2020-8133Nov 9, 2020
    risk 0.00cvss epss 0.01

    A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file.

  • CVE-2020-8150Nov 9, 2020
    risk 0.00cvss epss 0.00

    A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files.

  • CVE-2020-8183Oct 30, 2020
    risk 0.00cvss epss 0.02

    A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call.

  • CVE-2020-8173Oct 30, 2020
    risk 0.00cvss epss 0.00

    A too small set of random characters being used for encryption in Nextcloud Server 18.0.4 allowed decryption in shorter time than intended.

  • CVE-2020-8236Oct 30, 2020
    risk 0.00cvss epss 0.01

    A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless WebAuthn is also a two factor verification by asking for the PIN of the passwordless WebAuthn but not verifying it.

  • CVE-2020-8182Oct 5, 2020
    risk 0.00cvss epss 0.01

    Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permissions than they had themselves.

  • CVE-2020-8223Oct 5, 2020
    risk 0.00cvss epss 0.01

    A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to reshare with higher permissions than they got assigned themselves.

  • CVE-2020-8235Oct 5, 2020
    risk 0.00cvss epss 0.01

    Missing access control in Nextcloud Deck 1.0.4 caused an insecure direct object reference allowing an attacker to view all attachments.

  • CVE-2020-8228Oct 5, 2020
    risk 0.00cvss epss 0.02

    A missing rate limit in the Preferred Providers app 1.7.0 allowed an attacker to set the password an uncontrolled amount of times.

  • CVE-2019-14757Sep 14, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in KaiOS 2.5 and 2.5.1. The pre-installed Contacts application is vulnerable to HTML and JavaScript injection attacks. An attacker can send a vCard file to the victim that will inject HTML into the Contacts application (assuming the victim chooses to…

  • CVE-2020-8202Jul 30, 2020
    risk 0.00cvss epss 0.01

    Improper check of inputs in Nextcloud Preferred Providers app v1.6.0 allowed to perform a denial of service attack when using a very long password.

  • CVE-2020-8181Jul 10, 2020
    risk 0.00cvss epss 0.01

    A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars.

  • CVE-2020-8179Jul 2, 2020
    risk 0.00cvss epss 0.01

    Improper access control in Nextcloud Deck 1.0.0 allowed an attacker to inject tasks into other users decks.

  • CVE-2020-8180Jun 8, 2020
    risk 0.00cvss epss 0.02

    A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk command was added by an administrator.

  • CVE-2020-8153May 12, 2020
    risk 0.00cvss epss 0.02

    Improper access control in Groupfolders app 4.0.3 allowed to delete hidden directories when when renaming an accessible item to the same name.

  • CVE-2020-8155May 12, 2020
    risk 0.00cvss epss 0.01

    An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF.

  • CVE-2020-8154May 12, 2020
    risk 0.00cvss epss 0.02

    An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint.

  • CVE-2020-8156May 12, 2020
    risk 0.00cvss epss 0.01

    A missing verification of the TLS host in Nextcloud Mail 1.1.3 allowed a man in the middle attack.

  • CVE-2018-21078Apr 8, 2020
    risk 0.00cvss epss 0.00

    An issue was discovered on Samsung mobile devices with M(6.0), N(7.x), and O(8.0) software. The Contacts application allows attackers to originate video calls because SS (Supplementary Service) and USSD (Unstructured Supplementary Service Data) codes are improperly secured. The…

  • CVE-2020-8139Mar 20, 2020
    risk 0.00cvss epss 0.02

    A missing access control check in Nextcloud Server < 18.0.1, < 17.0.4, and < 16.0.9 causes hide-download shares to be downloadable when appending /download to the URL.

  • CVE-2020-8138Mar 20, 2020
    risk 0.00cvss epss 0.01

    A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar URL.

Page 6 of 7