Security Advisories

---

2020

Nextcloud Server 19.0.2

• PIN for passwordless WebAuthn is asked for but not verified (NC-SA-2020-037) 2020-08-25

Preferred providers 1.8.0

• Missing rate limit on signup page (NC-SA-2020-033) 2020-08-03

Nextcloud Server 19.0.1

• Re-Sharing allows increase of privileges (NC-SA-2020-029) 2020-07-16

Nextcloud Server 18.0.7

• Re-Sharing allows increase of privileges (NC-SA-2020-029) 2020-07-16

Nextcloud Server 17.0.8

• Re-Sharing allows increase of privileges (NC-SA-2020-029) 2020-07-16

Deck App 1.0.5

• Access control missing while viewing the attachments in the 'All boards' (NC-SA-2020-036) 2020-07-15

Desktop Client 2.6.5

• Missing memory corruption protection on Windows release built (NC-SA-2020-035) 2020-07-10
• Memory Leak in OCUtil.dll library in Desktop client can lead to DoS (NC-SA-2020-034) 2020-07-10
• Linux client is vulnerable to directory traversal when downloading files (NC-SA-2020-032) 2020-07-10
• Clear text storage of proxy parameters and passwords (NC-SA-2020-031) 2020-07-10
• Arbitrary code execution in desktop client via OpenSSL config (NC-SA-2020-030) 2020-07-10
• XSS in desktop client via invalid server address on login form (NC-SA-2020-027) 2020-07-10

Preferred providers 1.7.0

• Possible denial of service when entering a long password (NC-SA-2020-028) 2020-06-16

Nextcloud Server 19.0.1

• Password of share by mail is not hashed when given on the create share call (NC-SA-2020-026) 2020-06-04

Nextcloud Server 18.0.6

• Password of share by mail is not hashed when given on the create share call (NC-SA-2020-026) 2020-06-04

Nextcloud Server 19.0.0

• Increase random used for encryption (NC-SA-2020-023) 2020-06-04

Nextcloud Server 18.0.5

• Increase random used for encryption (NC-SA-2020-023) 2020-06-04

Nextcloud Server 17.0.7

• Increase random used for encryption (NC-SA-2020-023) 2020-06-04

Deck App 1.0.1

• Improper access control allows injecting tasks into other users decks (NC-SA-2020-022) 2020-05-15

Talk App 8.0.8

• Code injection possible with malformed Nextcloud Talk chat commands (NC-SA-2020-021) 2020-04-20

Talk App 7.0.3

• Code injection possible with malformed Nextcloud Talk chat commands (NC-SA-2020-021) 2020-04-20

Talk App 6.0.5

• Code injection possible with malformed Nextcloud Talk chat commands (NC-SA-2020-021) 2020-04-20

Contacts App 3.3.0

• Limit contacts photo uploading to images (NC-SA-2020-024) 2020-04-16

Deck App 0.8.1

• Missing permission check on resharing a board (NC-SA-2020-025) 2020-04-08

Mail App 1.1.4

• Mail app not verifying TLS host of mail servers (NC-SA-2020-020) 2020-03-24

Nextcloud Server 18.0.3

• XSS in Files PDF viewer (NC-SA-2020-019) 2020-03-18
• Missing ownership check on remote wipe endpoint (NC-SA-2020-018) 2020-03-18

Nextcloud Server 17.0.5

• Missing ownership check on remote wipe endpoint (NC-SA-2020-018) 2020-03-18

Desktop Client 2.6.3

• Code injection in Nextcloud Desktop Client for macOS (NC-SA-2020-016) 2020-02-17

Nextcloud Server 18.0.1

• Secure view shares can be downloaded by manipulating the URL (NC-SA-2020-015) 2020-02-07

Nextcloud Server 17.0.4

• Secure view shares can be downloaded by manipulating the URL (NC-SA-2020-015) 2020-02-07

Nextcloud Server 16.0.9

• Secure view shares can be downloaded by manipulating the URL (NC-SA-2020-015) 2020-02-07

Nextcloud Server 17.0.2

• SSRF protection bypass in calendar subscriptions (NC-SA-2020-014) 2019-12-12

Nextcloud Server 16.0.7

• SSRF protection bypass in calendar subscriptions (NC-SA-2020-014) 2019-12-12

Nextcloud Server 15.0.14

• SSRF protection bypass in calendar subscriptions (NC-SA-2020-014) 2019-12-12

Android App 3.9.1

• Bypass lock protection in Android app (NC-SA-2020-004) 2019-12-05

Nextcloud Server 17.0.2

• Workflow rules only check the file extension for the mimetype instead of the content (NC-SA-2020-002) 2019-12-04

Nextcloud Server 16.0.7

• Workflow rules only check the file extension for the mimetype instead of the content (NC-SA-2020-002) 2019-12-04

Nextcloud Server 15.0.14

• Workflow rules only check the file extension for the mimetype instead of the content (NC-SA-2020-002) 2019-12-04

iOS App 2.25.0

• Missing sanitization in iOS App allows XSS (NC-SA-2020-003) 2019-11-20

Nextcloud Server 17.0.1

• Duplicate setup of second factor allowed (NC-SA-2020-006) 2019-10-25

Nextcloud Server 17.0.0

• Missing default timeout on HTTP requests (NC-SA-2020-005) 2019-09-04

Nextcloud Server 16.0.4

• Improper neutralization of item names in projects feature (NC-SA-2020-008) 2019-07-29

Deck App 0.6.6

• Improper neutralization of item names in projects feature (NC-SA-2020-010) 2019-07-29

Talk App 6.0.4

• Name of private conversations leaked when linked via projects to a shared item (NC-SA-2020-011) 2019-07-29
• Improper neutralization of item names in projects feature (NC-SA-2020-009) 2019-07-29

Groupfolders App 4.0.4

• Renaming an item to a protected hidden folder deletes the target (NC-SA-2020-017) 2019-07-15

Nextcloud Server 16.0.2

• Improper permission preservation on reshares (NC-SA-2020-012) 2019-06-27

Nextcloud Server 15.0.9

• Improper permission preservation on reshares (NC-SA-2020-012) 2019-06-27

Nextcloud Server 14.0.13

• Improper permission preservation on reshares (NC-SA-2020-012) 2019-06-27

Nextcloud Server 15.0.3

• 2FA sessions not properly expired on password change (NC-SA-2020-001) 2019-04-01

Nextcloud Server 14.0.7

• 2FA sessions not properly expired on password change (NC-SA-2020-001) 2019-04-01

Nextcloud Server 13.0.11

• 2FA sessions not properly expired on password change (NC-SA-2020-001) 2019-04-01

Nextcloud Server 15.0.6

• Reflected XSS in redirect of the Updater (NC-SA-2020-007) 2019-03-26

Nextcloud Server 14.0.9

• Reflected XSS in redirect of the Updater (NC-SA-2020-007) 2019-03-26

Nextcloud Server 14.0.4

• Event details leaked when sharing a non-public calendar event (NC-SA-2020-013) 2018-11-15

Nextcloud Server 13.0.8

• Event details leaked when sharing a non-public calendar event (NC-SA-2020-013) 2018-11-15

Nextcloud Server 12.0.13

• Event details leaked when sharing a non-public calendar event (NC-SA-2020-013) 2018-11-15

---

2019

iOS App 2.24.0

• Login and token disclosure to other Nextcloud services (NC-SA-2019-017) 2019-11-12

Nextcloud Server 17.0.1

• File-drop content is visible through the gallery app (NC-SA-2019-012) 2019-10-22

Nextcloud Server 16.0.6

• File-drop content is visible through the gallery app (NC-SA-2019-012) 2019-10-22

Nextcloud Server 15.0.13

• File-drop content is visible through the gallery app (NC-SA-2019-012) 2019-10-22

Circles App 0.17.8

• Removing emails from circles does not revoke access to shared items (NC-SA-2019-013) 2019-10-06

Circles App 0.16.11

• Removing emails from circles does not revoke access to shared items (NC-SA-2019-013) 2019-10-06

Nextcloud Server 15.0.8

• Group admins can create users with IDs of system folders (NC-SA-2019-015) 2019-08-12

Nextcloud Server 14.0.11

• Group admins can create users with IDs of system folders (NC-SA-2019-015) 2019-08-12

Nextcloud Server 16.0.2

• Reflected XSS in svg logo generation (NC-SA-2019-018) 2019-08-02

Nextcloud Server 15.0.9

• Reflected XSS in svg logo generation (NC-SA-2019-018) 2019-08-02

Nextcloud Server 14.0.13

• Reflected XSS in svg logo generation (NC-SA-2019-018) 2019-08-02

Android App 3.7.0

• Improper sanitization of HTML in directory names (NC-SA-2019-009) 2019-07-26

Android App 3.6.2

• Thumbnails of files leaked via Android content provider (NC-SA-2019-007) 2019-07-26

Android App 3.6.1

• Query restriction bypass on exposed FileContentProvider in Android app (NC-SA-2019-011) 2019-07-26
• Bypass lock protection in Android app (NC-SA-2019-008) 2019-07-26
• Bypass lock protection in Android app (NC-SA-2019-004) 2019-07-26

Android App 3.3.0

• Bypass lock protection in Android app (NC-SA-2019-006) 2019-07-26

Android App 3.0.0

• SQL injection in Android app content provider (NC-SA-2019-005) 2019-07-26

Lookup server 0.3.0

• SQL Injection in lookup-server (NC-SA-2019-010) 2019-07-26

Nextcloud Server 16.0.2

• Server-Side request forgery in New-Subscription feature of the calendar app (NC-SA-2019-014) 2019-07-04

Nextcloud Server 15.0.9

• Server-Side request forgery in New-Subscription feature of the calendar app (NC-SA-2019-014) 2019-07-04

Nextcloud Server 16.0.2

• User IDs and Nextcloud server leaked to Nextcloud Lookup server with disabled settings (NC-SA-2019-016) 2019-06-26

Nextcloud Server 15.0.9

• User IDs and Nextcloud server leaked to Nextcloud Lookup server with disabled settings (NC-SA-2019-016) 2019-06-26

Nextcloud Server 14.0.13

• User IDs and Nextcloud server leaked to Nextcloud Lookup server with disabled settings (NC-SA-2019-016) 2019-06-26

Nextcloud Server 15.0.1

• Classification of calendar events is ignored by the activity stream (NC-SA-2019-001) 2019-04-12

Nextcloud Server 14.0.5

• Improper share updates could result in extended data access (NC-SA-2019-003) 2019-04-12
• Classification of calendar events is ignored by the activity stream (NC-SA-2019-001) 2019-04-12

Nextcloud Server 13.0.9

• Improper share updates could result in extended data access (NC-SA-2019-003) 2019-04-12
• Classification of calendar events is ignored by the activity stream (NC-SA-2019-001) 2019-04-12

Nextcloud Server 15.0.0

• Improper share updates could result in extended data access (NC-SA-2019-003) 2019-04-12
• Improper access control checks for share expiration date (NC-SA-2019-002) 2019-04-12

Nextcloud Server 14.0.4

• Improper access control checks for share expiration date (NC-SA-2019-002) 2019-04-12

Nextcloud Server 13.0.8

• Improper access control checks for share expiration date (NC-SA-2019-002) 2019-04-12

Nextcloud Server 12.0.13

• Improper access control checks for share expiration date (NC-SA-2019-002) 2019-04-12

---

2018

Android App 3.2.0

• Improper check for access to application database (NC-SA-2018-015) 2019-07-26

Nextcloud Server 14.0.0

• Improper access control checks for single share previews (NC-SA-2018-014) 2018-10-25
• Session fixation on public share page (NC-SA-2018-013) 2018-10-25
• Improper authentication on public shares (NC-SA-2018-012) 2018-10-25
• Second factor authentication bypassed if provider fails to load (NC-SA-2018-011) 2018-10-25
• Improper validation of permissions (NC-SA-2018-010) 2018-10-25

Nextcloud Server 13.0.3

• Session fixation on public share page (NC-SA-2018-013) 2018-10-25

Nextcloud Server 12.0.8

• Session fixation on public share page (NC-SA-2018-013) 2018-10-25

Nextcloud Server 13.0.6

• Improper validation of permissions (NC-SA-2018-010) 2018-10-25

Nextcloud Server 12.0.11

• Improper validation of permissions (NC-SA-2018-010) 2018-10-25

Nextcloud Server 13.0.5

• Stored XSS in autocomplete suggestions for file comments (NC-SA-2018-008) 2018-08-10

Talk App 3.2.5

• Stored XSS in autocomplete suggestions for chat @-mentions (NC-SA-2018-009) 2018-08-10

Nextcloud Server 12.0.3

• Bypass of 2 Factor Authentication (NC-SA-2018-007) 2018-08-03
• Improper validation of data passed to JSON encoder (NC-SA-2018-006) 2018-08-03

Nextcloud Server 11.0.5

• Improper validation of data passed to JSON encoder (NC-SA-2018-006) 2018-08-03

Nextcloud Server 13.0.3

• Improper validation on OAuth2 token endpoint (NC-SA-2018-003) 2018-06-21
• File access control rules not applied to image previews (NC-SA-2018-002) 2018-06-21

Nextcloud Server 12.0.8

• Improper validation on OAuth2 token endpoint (NC-SA-2018-003) 2018-06-21
• File access control rules not applied to image previews (NC-SA-2018-002) 2018-06-21

Calendar App 1.6.1

• Stored XSS in calendar via group shares (NC-SA-2018-004) 2018-06-21

Calendar App 1.5.8

• Stored XSS in calendar via group shares (NC-SA-2018-004) 2018-06-21

Contacts App 2.1.2

• Stored XSS in contacts via group shares (NC-SA-2018-005) 2018-06-21

Nextcloud Server 12.0.5

• App password scope can be changed for other users (NC-SA-2018-001) 2018-02-07

Nextcloud Server 11.0.7

• App password scope can be changed for other users (NC-SA-2018-001) 2018-02-07

---

2017

Nextcloud Server 11.0.3

• Share tokens for public calendars disclosed (NC-SA-2017-011) 2017-05-08
• Stored XSS in Gallery application (NC-SA-2017-010) 2017-05-08
• Limitation of app specific password scope can be bypassed (NC-SA-2017-009) 2017-05-08
• Reflected XSS in error pages (NC-SA-2017-008) 2017-05-08
• DOM XSS vulnerability in search dialogue (NC-SA-2017-007) 2017-05-08

Nextcloud Server 10.0.5

• Stored XSS in Gallery application (NC-SA-2017-010) 2017-05-08
• Reflected XSS in error pages (NC-SA-2017-008) 2017-05-08

Nextcloud Server 9.0.58

• Stored XSS in Gallery application (NC-SA-2017-010) 2017-05-08
• Reflected XSS in error pages (NC-SA-2017-008) 2017-05-08

Nextcloud Server 11.0.2

• Calendar and addressbook names disclosed (NC-SA-2017-012) 2017-05-08

Nextcloud Server 10.0.4

• Calendar and addressbook names disclosed (NC-SA-2017-012) 2017-05-08

Nextcloud Server 10.0.2

• Content-Spoofing in "files" app (NC-SA-2017-006) 2017-02-05
• Bypassing quota limitation (NC-SA-2017-005) 2017-02-05
• Denial of Service attack (NC-SA-2017-004) 2017-02-05
• Error message discloses existence of file in write-only share (NC-SA-2017-003) 2017-02-05
• Creation of folders in read-only folders despite lacking permissions (NC-SA-2017-002) 2017-02-05
• Permission increase on re-sharing via OCS API (NC-SA-2017-001) 2017-02-05

Nextcloud Server 9.0.55

• Content-Spoofing in "files" app (NC-SA-2017-006) 2017-02-05
• Bypassing quota limitation (NC-SA-2017-005) 2017-02-05
• Denial of Service attack (NC-SA-2017-004) 2017-02-05
• Error message discloses existence of file in write-only share (NC-SA-2017-003) 2017-02-05
• Creation of folders in read-only folders despite lacking permissions (NC-SA-2017-002) 2017-02-05
• Permission increase on re-sharing via OCS API (NC-SA-2017-001) 2017-02-05

---

2016

Nextcloud Server 10.0.1

• Content-Spoofing in "dav" app (NC-SA-2016-011) 2016-10-10
• Content-Spoofing in "files" app (NC-SA-2016-010) 2016-10-10
• Reflected XSS in Gallery application (NC-SA-2016-009) 2016-10-10
• Stored XSS in CardDAV image export (NC-SA-2016-008) 2016-10-10
• SMB User Authentication Bypass (NC-SA-2016-006) 2016-10-10

Nextcloud Server 9.0.54

• Content-Spoofing in "dav" app (NC-SA-2016-011) 2016-10-10
• Content-Spoofing in "files" app (NC-SA-2016-010) 2016-10-10
• Improper authorization check on removing shares (NC-SA-2016-007) 2016-10-10
• SMB User Authentication Bypass (NC-SA-2016-006) 2016-10-10

Nextcloud Server 10.0.0

• Improper authorization check on removing shares (NC-SA-2016-007) 2016-10-10

Nextcloud Server 9.0.52

• Read-only share recipient can restore old versions of file (NC-SA-2016-005) 2016-07-19
• Edit permission check not enforced on WebDAV COPY action (NC-SA-2016-004) 2016-07-19
• Content-Spoofing in "files" app (NC-SA-2016-003) 2016-07-19
• Log pollution can potentially lead to local HTML injection (NC-SA-2016-002) 2016-07-19
• Stored XSS in "gallery" application (NC-SA-2016-001) 2016-07-19