Vendor CVEs
Nextcloud
All CVEs
330 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-32695 | 0.00 | — | 0.01 | Jun 17, 2021 | Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.16.1, a malicious app on the same device could have gotten access to the shared preferences of the Nextcloud Android application. This required user-interaction as a victim had to initiate the… | |||
| CVE-2021-22906 | 0.00 | — | 0.01 | Jun 11, 2021 | Nextcloud End-to-End Encryption before 1.5.3, 1.6.3 and 1.7.1 suffers from a denial of service vulnerability due to permitting any authenticated users to lock files of other users. | |||
| CVE-2021-22905 | 0.00 | — | 0.01 | Jun 11, 2021 | Nextcloud Android App (com.nextcloud.client) before v3.16.0 is vulnerable to information disclosure due to searches for sharees being performed by default on the lookup server instead of only using the local Nextcloud server unless a global search has been explicitly chosen by… | |||
| CVE-2021-22915 | 0.00 | — | 0.02 | Jun 11, 2021 | Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such as the Nextcloud brute-force protection. | |||
| CVE-2021-22896 | 0.00 | — | 0.01 | Jun 11, 2021 | Nextcloud Mail before 1.9.5 suffers from improper access control due to a missing permission check allowing other authenticated users to create mail aliases for other users. | |||
| CVE-2021-22913 | 0.00 | — | 0.01 | Jun 11, 2021 | Nextcloud Deck before 1.2.7, 1.4.1 suffers from an information disclosure vulnerability when searches for sharees utilize the lookup server by default instead of only the local Nextcloud server unless a global search has been explicitly chosen by the user. | |||
| CVE-2021-25413 | 0.00 | — | 0.00 | Jun 11, 2021 | Improper sanitization of incoming intent in Samsung Contacts prior to SMR JUN-2021 Release 1 allows local attackers to get permissions to access arbitrary data with Samsung Contacts privilege. | |||
| CVE-2021-25414 | 0.00 | — | 0.00 | Jun 11, 2021 | Improper sanitization of incoming intent in Samsung Contacts prior to SMR JUN-2021 Release 1 allows local attackers to copy or overwrite arbitrary files with Samsung Contacts privilege. | |||
| CVE-2021-32658 | 0.00 | — | 0.00 | Jun 8, 2021 | Nextcloud Android is the Android client for the Nextcloud open source home cloud system. Due to a timeout issue the Android client may not properly clean all sensitive data on account removal. This could include sensitive key material such as the End-to-End encryption keys. It… | |||
| CVE-2021-32657 | 0.00 | — | 0.02 | Jun 1, 2021 | Nextcloud Server is a Nextcloud package that handles data storage. In versions of Nextcloud Server prior to 10.0.11, 20.0.10, and 21.0.2, a malicious user may be able to break the user administration page. This would disallow administrators to administrate users on the Nextcloud… | |||
| CVE-2021-32656 | 0.00 | — | 0.02 | Jun 1, 2021 | Nextcloud Server is a Nextcloud package that handles data storage. A vulnerability in federated share exists in versions prior to 19.0.11, 20.0.10, and 21.0.2. An attacker can gain access to basic information about users of a server by accessing a public link that a legitimate… | |||
| CVE-2021-32655 | 0.00 | — | 0.01 | Jun 1, 2021 | Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to convert a Files Drop link to a federated share. This causes an issue on the UI side of the sharing user. When the sharing user opens the… | |||
| CVE-2021-32654 | 0.00 | — | 0.02 | Jun 1, 2021 | Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be… | |||
| CVE-2021-32653 | 0.00 | — | 0.01 | Jun 1, 2021 | Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 send user IDs to the lookup server even if the user has no fields set to published. The vulnerability is patched in versions 19.0.11, 20.0.10, and… | |||
| CVE-2021-32652 | 0.00 | — | 0.01 | Jun 1, 2021 | Nextcloud Mail is a mail app for the Nextcloud platform. A missing permission check in Nextcloud Mail before 1.4.3 and 1.8.2 allows another authenticated users to access mail metadata of other users. Versions 1.4.3 and 1.8.2 contain patches for this vulnerability; no workarounds… | |||
| CVE-2021-29438 | 0.00 | — | 0.01 | Apr 13, 2021 | The Nextcloud dialogs library (npm package @nextcloud/dialogs) before 3.1.2 insufficiently escaped text input passed to a toast. If your application displays toasts with user-supplied input, this could lead to a XSS vulnerability. The vulnerability has been patched in version… | |||
| CVE-2020-8296 | 0.00 | — | 0.01 | Mar 3, 2021 | Nextcloud Server prior to 20.0.0 stores passwords in a recoverable format even when external storage is not configured. | |||
| CVE-2021-22878 | 0.00 | — | 0.01 | Mar 3, 2021 | Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in `OC.Notification.show`. | |||
| CVE-2021-22877 | 0.00 | — | 0.02 | Mar 3, 2021 | A missing user check in Nextcloud prior to 20.0.6 inadvertently populates a user's own credentials for other users external storage configuration when not already configured yet. | |||
| CVE-2020-8297 | 0.00 | — | 0.01 | Feb 23, 2021 | Nextcloud Deck before 1.0.2 suffers from an insecure direct object reference (IDOR) vulnerability that permits users with a duplicate user identifier to access deck data of a previous deleted user. | |||
| CVE-2020-8294 | 0.00 | — | 0.01 | Feb 3, 2021 | A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format. | |||
| CVE-2020-8295 | 0.00 | — | 0.02 | Jan 26, 2021 | A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user. | |||
| CVE-2020-8293 | 0.00 | — | 0.02 | Jan 26, 2021 | A missing input validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules. | |||
| CVE-2020-8280 | 0.00 | — | 0.01 | Jan 6, 2021 | A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to perform cross-site scripting (XSS) attacks. | |||
| CVE-2020-8281 | 0.00 | — | 0.01 | Jan 6, 2021 | A missing file type check in Nextcloud Contacts 3.3.0 allows a malicious user to upload malicious SVG files to perform cross-site scripting (XSS) attacks. | |||
| CVE-2020-8278 | 0.00 | — | 0.01 | Nov 19, 2020 | Improper access control in Nextcloud Social app version 0.3.1 allowed to read posts of any user. | |||
| CVE-2020-8279 | 0.00 | — | 0.01 | Nov 19, 2020 | Missing validation of server certificates for out-going connections in Nextcloud Social < 0.4.0 allowed a man-in-the-middle attack. | |||
| CVE-2020-8259 | 0.00 | — | 0.01 | Nov 16, 2020 | Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the encryption keys. | |||
| CVE-2020-8152 | 0.00 | — | 0.00 | Nov 16, 2020 | Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the public key to decrypt them later on. | |||
| CVE-2020-8133 | 0.00 | — | 0.01 | Nov 9, 2020 | A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file. | |||
| CVE-2020-8150 | 0.00 | — | 0.00 | Nov 9, 2020 | A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files. | |||
| CVE-2020-8183 | 0.00 | — | 0.02 | Oct 30, 2020 | A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call. | |||
| CVE-2020-8173 | 0.00 | — | 0.00 | Oct 30, 2020 | A too small set of random characters being used for encryption in Nextcloud Server 18.0.4 allowed decryption in shorter time than intended. | |||
| CVE-2020-8236 | 0.00 | — | 0.01 | Oct 30, 2020 | A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless WebAuthn is also a two factor verification by asking for the PIN of the passwordless WebAuthn but not verifying it. | |||
| CVE-2020-8182 | 0.00 | — | 0.01 | Oct 5, 2020 | Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permissions than they had themselves. | |||
| CVE-2020-8223 | 0.00 | — | 0.01 | Oct 5, 2020 | A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to reshare with higher permissions than they got assigned themselves. | |||
| CVE-2020-8235 | 0.00 | — | 0.01 | Oct 5, 2020 | Missing access control in Nextcloud Deck 1.0.4 caused an insecure direct object reference allowing an attacker to view all attachments. | |||
| CVE-2020-8228 | 0.00 | — | 0.02 | Oct 5, 2020 | A missing rate limit in the Preferred Providers app 1.7.0 allowed an attacker to set the password an uncontrolled amount of times. | |||
| CVE-2019-14757 | 0.00 | — | 0.01 | Sep 14, 2020 | An issue was discovered in KaiOS 2.5 and 2.5.1. The pre-installed Contacts application is vulnerable to HTML and JavaScript injection attacks. An attacker can send a vCard file to the victim that will inject HTML into the Contacts application (assuming the victim chooses to… | |||
| CVE-2020-8202 | 0.00 | — | 0.01 | Jul 30, 2020 | Improper check of inputs in Nextcloud Preferred Providers app v1.6.0 allowed to perform a denial of service attack when using a very long password. | |||
| CVE-2020-8181 | 0.00 | — | 0.01 | Jul 10, 2020 | A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars. | |||
| CVE-2020-8179 | 0.00 | — | 0.01 | Jul 2, 2020 | Improper access control in Nextcloud Deck 1.0.0 allowed an attacker to inject tasks into other users decks. | |||
| CVE-2020-8180 | 0.00 | — | 0.02 | Jun 8, 2020 | A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk command was added by an administrator. | |||
| CVE-2020-8153 | 0.00 | — | 0.02 | May 12, 2020 | Improper access control in Groupfolders app 4.0.3 allowed to delete hidden directories when when renaming an accessible item to the same name. | |||
| CVE-2020-8155 | 0.00 | — | 0.01 | May 12, 2020 | An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF. | |||
| CVE-2020-8154 | 0.00 | — | 0.02 | May 12, 2020 | An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint. | |||
| CVE-2020-8156 | 0.00 | — | 0.01 | May 12, 2020 | A missing verification of the TLS host in Nextcloud Mail 1.1.3 allowed a man in the middle attack. | |||
| CVE-2018-21078 | 0.00 | — | 0.00 | Apr 8, 2020 | An issue was discovered on Samsung mobile devices with M(6.0), N(7.x), and O(8.0) software. The Contacts application allows attackers to originate video calls because SS (Supplementary Service) and USSD (Unstructured Supplementary Service Data) codes are improperly secured. The… | |||
| CVE-2020-8139 | 0.00 | — | 0.02 | Mar 20, 2020 | A missing access control check in Nextcloud Server < 18.0.1, < 17.0.4, and < 16.0.9 causes hide-download shares to be downloadable when appending /download to the URL. | |||
| CVE-2020-8138 | 0.00 | — | 0.01 | Mar 20, 2020 | A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar URL. |
- CVE-2021-32695Jun 17, 2021risk 0.00cvss —epss 0.01
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.16.1, a malicious app on the same device could have gotten access to the shared preferences of the Nextcloud Android application. This required user-interaction as a victim had to initiate the…
- CVE-2021-22906Jun 11, 2021risk 0.00cvss —epss 0.01
Nextcloud End-to-End Encryption before 1.5.3, 1.6.3 and 1.7.1 suffers from a denial of service vulnerability due to permitting any authenticated users to lock files of other users.
- CVE-2021-22905Jun 11, 2021risk 0.00cvss —epss 0.01
Nextcloud Android App (com.nextcloud.client) before v3.16.0 is vulnerable to information disclosure due to searches for sharees being performed by default on the lookup server instead of only using the local Nextcloud server unless a global search has been explicitly chosen by…
- CVE-2021-22915Jun 11, 2021risk 0.00cvss —epss 0.02
Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such as the Nextcloud brute-force protection.
- CVE-2021-22896Jun 11, 2021risk 0.00cvss —epss 0.01
Nextcloud Mail before 1.9.5 suffers from improper access control due to a missing permission check allowing other authenticated users to create mail aliases for other users.
- CVE-2021-22913Jun 11, 2021risk 0.00cvss —epss 0.01
Nextcloud Deck before 1.2.7, 1.4.1 suffers from an information disclosure vulnerability when searches for sharees utilize the lookup server by default instead of only the local Nextcloud server unless a global search has been explicitly chosen by the user.
- CVE-2021-25413Jun 11, 2021risk 0.00cvss —epss 0.00
Improper sanitization of incoming intent in Samsung Contacts prior to SMR JUN-2021 Release 1 allows local attackers to get permissions to access arbitrary data with Samsung Contacts privilege.
- CVE-2021-25414Jun 11, 2021risk 0.00cvss —epss 0.00
Improper sanitization of incoming intent in Samsung Contacts prior to SMR JUN-2021 Release 1 allows local attackers to copy or overwrite arbitrary files with Samsung Contacts privilege.
- CVE-2021-32658Jun 8, 2021risk 0.00cvss —epss 0.00
Nextcloud Android is the Android client for the Nextcloud open source home cloud system. Due to a timeout issue the Android client may not properly clean all sensitive data on account removal. This could include sensitive key material such as the End-to-End encryption keys. It…
- CVE-2021-32657Jun 1, 2021risk 0.00cvss —epss 0.02
Nextcloud Server is a Nextcloud package that handles data storage. In versions of Nextcloud Server prior to 10.0.11, 20.0.10, and 21.0.2, a malicious user may be able to break the user administration page. This would disallow administrators to administrate users on the Nextcloud…
- CVE-2021-32656Jun 1, 2021risk 0.00cvss —epss 0.02
Nextcloud Server is a Nextcloud package that handles data storage. A vulnerability in federated share exists in versions prior to 19.0.11, 20.0.10, and 21.0.2. An attacker can gain access to basic information about users of a server by accessing a public link that a legitimate…
- CVE-2021-32655Jun 1, 2021risk 0.00cvss —epss 0.01
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to convert a Files Drop link to a federated share. This causes an issue on the UI side of the sharing user. When the sharing user opens the…
- CVE-2021-32654Jun 1, 2021risk 0.00cvss —epss 0.02
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be…
- CVE-2021-32653Jun 1, 2021risk 0.00cvss —epss 0.01
Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 send user IDs to the lookup server even if the user has no fields set to published. The vulnerability is patched in versions 19.0.11, 20.0.10, and…
- CVE-2021-32652Jun 1, 2021risk 0.00cvss —epss 0.01
Nextcloud Mail is a mail app for the Nextcloud platform. A missing permission check in Nextcloud Mail before 1.4.3 and 1.8.2 allows another authenticated users to access mail metadata of other users. Versions 1.4.3 and 1.8.2 contain patches for this vulnerability; no workarounds…
- CVE-2021-29438Apr 13, 2021risk 0.00cvss —epss 0.01
The Nextcloud dialogs library (npm package @nextcloud/dialogs) before 3.1.2 insufficiently escaped text input passed to a toast. If your application displays toasts with user-supplied input, this could lead to a XSS vulnerability. The vulnerability has been patched in version…
- CVE-2020-8296Mar 3, 2021risk 0.00cvss —epss 0.01
Nextcloud Server prior to 20.0.0 stores passwords in a recoverable format even when external storage is not configured.
- CVE-2021-22878Mar 3, 2021risk 0.00cvss —epss 0.01
Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in `OC.Notification.show`.
- CVE-2021-22877Mar 3, 2021risk 0.00cvss —epss 0.02
A missing user check in Nextcloud prior to 20.0.6 inadvertently populates a user's own credentials for other users external storage configuration when not already configured yet.
- CVE-2020-8297Feb 23, 2021risk 0.00cvss —epss 0.01
Nextcloud Deck before 1.0.2 suffers from an insecure direct object reference (IDOR) vulnerability that permits users with a duplicate user identifier to access deck data of a previous deleted user.
- CVE-2020-8294Feb 3, 2021risk 0.00cvss —epss 0.01
A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format.
- CVE-2020-8295Jan 26, 2021risk 0.00cvss —epss 0.02
A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user.
- CVE-2020-8293Jan 26, 2021risk 0.00cvss —epss 0.02
A missing input validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules.
- CVE-2020-8280Jan 6, 2021risk 0.00cvss —epss 0.01
A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to perform cross-site scripting (XSS) attacks.
- CVE-2020-8281Jan 6, 2021risk 0.00cvss —epss 0.01
A missing file type check in Nextcloud Contacts 3.3.0 allows a malicious user to upload malicious SVG files to perform cross-site scripting (XSS) attacks.
- CVE-2020-8278Nov 19, 2020risk 0.00cvss —epss 0.01
Improper access control in Nextcloud Social app version 0.3.1 allowed to read posts of any user.
- CVE-2020-8279Nov 19, 2020risk 0.00cvss —epss 0.01
Missing validation of server certificates for out-going connections in Nextcloud Social < 0.4.0 allowed a man-in-the-middle attack.
- CVE-2020-8259Nov 16, 2020risk 0.00cvss —epss 0.01
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the encryption keys.
- CVE-2020-8152Nov 16, 2020risk 0.00cvss —epss 0.00
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the public key to decrypt them later on.
- CVE-2020-8133Nov 9, 2020risk 0.00cvss —epss 0.01
A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file.
- CVE-2020-8150Nov 9, 2020risk 0.00cvss —epss 0.00
A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files.
- CVE-2020-8183Oct 30, 2020risk 0.00cvss —epss 0.02
A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call.
- CVE-2020-8173Oct 30, 2020risk 0.00cvss —epss 0.00
A too small set of random characters being used for encryption in Nextcloud Server 18.0.4 allowed decryption in shorter time than intended.
- CVE-2020-8236Oct 30, 2020risk 0.00cvss —epss 0.01
A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless WebAuthn is also a two factor verification by asking for the PIN of the passwordless WebAuthn but not verifying it.
- CVE-2020-8182Oct 5, 2020risk 0.00cvss —epss 0.01
Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permissions than they had themselves.
- CVE-2020-8223Oct 5, 2020risk 0.00cvss —epss 0.01
A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to reshare with higher permissions than they got assigned themselves.
- CVE-2020-8235Oct 5, 2020risk 0.00cvss —epss 0.01
Missing access control in Nextcloud Deck 1.0.4 caused an insecure direct object reference allowing an attacker to view all attachments.
- CVE-2020-8228Oct 5, 2020risk 0.00cvss —epss 0.02
A missing rate limit in the Preferred Providers app 1.7.0 allowed an attacker to set the password an uncontrolled amount of times.
- CVE-2019-14757Sep 14, 2020risk 0.00cvss —epss 0.01
An issue was discovered in KaiOS 2.5 and 2.5.1. The pre-installed Contacts application is vulnerable to HTML and JavaScript injection attacks. An attacker can send a vCard file to the victim that will inject HTML into the Contacts application (assuming the victim chooses to…
- CVE-2020-8202Jul 30, 2020risk 0.00cvss —epss 0.01
Improper check of inputs in Nextcloud Preferred Providers app v1.6.0 allowed to perform a denial of service attack when using a very long password.
- CVE-2020-8181Jul 10, 2020risk 0.00cvss —epss 0.01
A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars.
- CVE-2020-8179Jul 2, 2020risk 0.00cvss —epss 0.01
Improper access control in Nextcloud Deck 1.0.0 allowed an attacker to inject tasks into other users decks.
- CVE-2020-8180Jun 8, 2020risk 0.00cvss —epss 0.02
A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk command was added by an administrator.
- CVE-2020-8153May 12, 2020risk 0.00cvss —epss 0.02
Improper access control in Groupfolders app 4.0.3 allowed to delete hidden directories when when renaming an accessible item to the same name.
- CVE-2020-8155May 12, 2020risk 0.00cvss —epss 0.01
An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF.
- CVE-2020-8154May 12, 2020risk 0.00cvss —epss 0.02
An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint.
- CVE-2020-8156May 12, 2020risk 0.00cvss —epss 0.01
A missing verification of the TLS host in Nextcloud Mail 1.1.3 allowed a man in the middle attack.
- CVE-2018-21078Apr 8, 2020risk 0.00cvss —epss 0.00
An issue was discovered on Samsung mobile devices with M(6.0), N(7.x), and O(8.0) software. The Contacts application allows attackers to originate video calls because SS (Supplementary Service) and USSD (Unstructured Supplementary Service Data) codes are improperly secured. The…
- CVE-2020-8139Mar 20, 2020risk 0.00cvss —epss 0.02
A missing access control check in Nextcloud Server < 18.0.1, < 17.0.4, and < 16.0.9 causes hide-download shares to be downloadable when appending /download to the URL.
- CVE-2020-8138Mar 20, 2020risk 0.00cvss —epss 0.01
A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar URL.
Page 6 of 7