Security Advisories

---

2019

Android App 3.7.0

• Improper sanitization of HTML in directory names (NC-SA-2019-009) 2019-07-26

Android App 3.6.2

• Thumbnails of files leaked via Android content provider (NC-SA-2019-007) 2019-07-26

Android App 3.6.1

• Query restriction bypass on exposed FileContentProvider in Android app (NC-SA-2019-011) 2019-07-26
• Bypass lock protection in Android app (NC-SA-2019-008) 2019-07-26
• Bypass lock protection in Android app (NC-SA-2019-004) 2019-07-26

Android App 3.3.0

• Bypass lock protection in Android app (NC-SA-2019-006) 2019-07-26

Android App 3.0.0

• SQL injection in Android app content provider (NC-SA-2019-005) 2019-07-26

lookup-server 0.3.0

• SQL Injection in lookup-server (NC-SA-2019-010) 2019-07-26

Nextcloud Server 15.0.1

• Classification of calendar events is ignored by the activity stream (NC-SA-2019-001) 2019-04-12

Nextcloud Server 14.0.5

• Improper share updates could result in extended data access (NC-SA-2019-003) 2019-04-12
• Classification of calendar events is ignored by the activity stream (NC-SA-2019-001) 2019-04-12

Nextcloud Server 13.0.9

• Improper share updates could result in extended data access (NC-SA-2019-003) 2019-04-12
• Classification of calendar events is ignored by the activity stream (NC-SA-2019-001) 2019-04-12

Nextcloud Server 15.0.0

• Improper share updates could result in extended data access (NC-SA-2019-003) 2019-04-12
• Improper access control checks for share expiration date (NC-SA-2019-002) 2019-04-12

Nextcloud Server 14.0.4

• Improper access control checks for share expiration date (NC-SA-2019-002) 2019-04-12

Nextcloud Server 13.0.8

• Improper access control checks for share expiration date (NC-SA-2019-002) 2019-04-12

Nextcloud Server 12.0.13

• Improper access control checks for share expiration date (NC-SA-2019-002) 2019-04-12

---

2018

Android App 3.2.0

• Improper check for access to application database (NC-SA-2018-015) 2019-07-26

Nextcloud Server 14.0.0

• Improper access control checks for single share previews (NC-SA-2018-014) 2018-10-25
• Session fixation on public share page (NC-SA-2018-013) 2018-10-25
• Improper authentication on public shares (NC-SA-2018-012) 2018-10-25
• Second factor authentication bypassed if provider fails to load (NC-SA-2018-011) 2018-10-25
• Improper validation of permissions (NC-SA-2018-010) 2018-10-25

Nextcloud Server 13.0.6

• Improper validation of permissions (NC-SA-2018-010) 2018-10-25

Nextcloud Server 12.0.11

• Improper validation of permissions (NC-SA-2018-010) 2018-10-25

Nextcloud Server 13.0.3

• Session fixation on public share page (NC-SA-2018-013) 2018-10-25

Nextcloud Server 12.0.8

• Session fixation on public share page (NC-SA-2018-013) 2018-10-25

Nextcloud Server 13.0.5

• Stored XSS in autocomplete suggestions for file comments (NC-SA-2018-008) 2018-08-10

Talk App 3.2.5

• Stored XSS in autocomplete suggestions for chat @-mentions (NC-SA-2018-009) 2018-08-10

Nextcloud Server 12.0.3

• Bypass of 2 Factor Authentication (NC-SA-2018-007) 2018-08-03
• Improper validation of data passed to JSON encoder (NC-SA-2018-006) 2018-08-03

Nextcloud Server 11.0.5

• Improper validation of data passed to JSON encoder (NC-SA-2018-006) 2018-08-03

Nextcloud Server 13.0.3

• Improper validation on OAuth2 token endpoint (NC-SA-2018-003) 2018-06-21
• File access control rules not applied to image previews (NC-SA-2018-002) 2018-06-21

Nextcloud Server 12.0.8

• Improper validation on OAuth2 token endpoint (NC-SA-2018-003) 2018-06-21
• File access control rules not applied to image previews (NC-SA-2018-002) 2018-06-21

Calendar App 1.6.1

• Stored XSS in calendar via group shares (NC-SA-2018-004) 2018-06-21

Calendar App 1.5.8

• Stored XSS in calendar via group shares (NC-SA-2018-004) 2018-06-21

Contacts App 2.1.2

• Stored XSS in contacts via group shares (NC-SA-2018-005) 2018-06-21

Nextcloud Server 12.0.5

• App password scope can be changed for other users (NC-SA-2018-001) 2018-02-07

Nextcloud Server 11.0.7

• App password scope can be changed for other users (NC-SA-2018-001) 2018-02-07

---

2017

Nextcloud Server 11.0.3

• Share tokens for public calendars disclosed (NC-SA-2017-011) 2017-05-08
• Stored XSS in Gallery application (NC-SA-2017-010) 2017-05-08
• Limitation of app specific password scope can be bypassed (NC-SA-2017-009) 2017-05-08
• Reflected XSS in error pages (NC-SA-2017-008) 2017-05-08
• DOM XSS vulnerability in search dialogue (NC-SA-2017-007) 2017-05-08

Nextcloud Server 10.0.5

• Stored XSS in Gallery application (NC-SA-2017-010) 2017-05-08
• Reflected XSS in error pages (NC-SA-2017-008) 2017-05-08

Nextcloud Server 9.0.58

• Stored XSS in Gallery application (NC-SA-2017-010) 2017-05-08
• Reflected XSS in error pages (NC-SA-2017-008) 2017-05-08

Nextcloud Server 11.0.2

• Calendar and addressbook names disclosed (NC-SA-2017-012) 2017-05-08

Nextcloud Server 10.0.4

• Calendar and addressbook names disclosed (NC-SA-2017-012) 2017-05-08

Nextcloud Server 10.0.2

• Content-Spoofing in "files" app (NC-SA-2017-006) 2017-02-05
• Bypassing quota limitation (NC-SA-2017-005) 2017-02-05
• Denial of Service attack (NC-SA-2017-004) 2017-02-05
• Error message discloses existence of file in write-only share (NC-SA-2017-003) 2017-02-05
• Creation of folders in read-only folders despite lacking permissions (NC-SA-2017-002) 2017-02-05
• Permission increase on re-sharing via OCS API (NC-SA-2017-001) 2017-02-05

Nextcloud Server 9.0.55

• Content-Spoofing in "files" app (NC-SA-2017-006) 2017-02-05
• Bypassing quota limitation (NC-SA-2017-005) 2017-02-05
• Denial of Service attack (NC-SA-2017-004) 2017-02-05
• Error message discloses existence of file in write-only share (NC-SA-2017-003) 2017-02-05
• Creation of folders in read-only folders despite lacking permissions (NC-SA-2017-002) 2017-02-05
• Permission increase on re-sharing via OCS API (NC-SA-2017-001) 2017-02-05

---

2016

Nextcloud Server 10.0.1

• Content-Spoofing in "dav" app (NC-SA-2016-011) 2016-10-10
• Content-Spoofing in "files" app (NC-SA-2016-010) 2016-10-10
• Reflected XSS in Gallery application (NC-SA-2016-009) 2016-10-10
• Stored XSS in CardDAV image export (NC-SA-2016-008) 2016-10-10
• SMB User Authentication Bypass (NC-SA-2016-006) 2016-10-10

Nextcloud Server 9.0.54

• Content-Spoofing in "dav" app (NC-SA-2016-011) 2016-10-10
• Content-Spoofing in "files" app (NC-SA-2016-010) 2016-10-10
• Improper authorization check on removing shares (NC-SA-2016-007) 2016-10-10
• SMB User Authentication Bypass (NC-SA-2016-006) 2016-10-10

Nextcloud Server 10.0.0

• Improper authorization check on removing shares (NC-SA-2016-007) 2016-10-10

Nextcloud Server 9.0.52

• Read-only share recipient can restore old versions of file (NC-SA-2016-005) 2016-07-19
• Edit permission check not enforced on WebDAV COPY action (NC-SA-2016-004) 2016-07-19
• Content-Spoofing in "files" app (NC-SA-2016-003) 2016-07-19
• Log pollution can potentially lead to local HTML injection (NC-SA-2016-002) 2016-07-19
• Stored XSS in "gallery" application (NC-SA-2016-001) 2016-07-19