You can follow our advisories via RSS.
2018
Nextcloud Server 14.0.0
- Improper access control checks for single share previews (NC-SA-2018-014) 2018-10-25
- Session fixation on public share page (NC-SA-2018-013) 2018-10-25
- Improper authentication on public shares (NC-SA-2018-012) 2018-10-25
- Second factor authentication bypassed if provider fails to load (NC-SA-2018-011) 2018-10-25
- Improper validation of permissions (NC-SA-2018-010) 2018-10-25
Nextcloud Server 13.0.6
Nextcloud Server 12.0.11
Nextcloud Server 13.0.3
Nextcloud Server 12.0.8
Nextcloud Server 13.0.5
Talk App 3.2.5
Nextcloud Server 12.0.3
- Bypass of 2 Factor Authentication (NC-SA-2018-007) 2018-08-03
- Improper validation of data passed to JSON encoder (NC-SA-2018-006) 2018-08-03
Nextcloud Server 11.0.5
Nextcloud Server 13.0.3
- Improper validation on OAuth2 token endpoint (NC-SA-2018-003) 2018-06-21
- File access control rules not applied to image previews (NC-SA-2018-002) 2018-06-21
Nextcloud Server 12.0.8
- Improper validation on OAuth2 token endpoint (NC-SA-2018-003) 2018-06-21
- File access control rules not applied to image previews (NC-SA-2018-002) 2018-06-21
Calendar App 1.6.1
Calendar App 1.5.8
Contacts App 2.1.2
Nextcloud Server 12.0.5
Nextcloud Server 11.0.7
2017
Nextcloud Server 11.0.3
- Share tokens for public calendars disclosed (NC-SA-2017-011) 2017-05-08
- Stored XSS in Gallery application (NC-SA-2017-010) 2017-05-08
- Limitation of app specific password scope can be bypassed (NC-SA-2017-009) 2017-05-08
- Reflected XSS in error pages (NC-SA-2017-008) 2017-05-08
- DOM XSS vulnerability in search dialogue (NC-SA-2017-007) 2017-05-08
Nextcloud Server 10.0.5
- Stored XSS in Gallery application (NC-SA-2017-010) 2017-05-08
- Reflected XSS in error pages (NC-SA-2017-008) 2017-05-08
Nextcloud Server 9.0.58
- Stored XSS in Gallery application (NC-SA-2017-010) 2017-05-08
- Reflected XSS in error pages (NC-SA-2017-008) 2017-05-08
Nextcloud Server 11.0.2
Nextcloud Server 10.0.4
Nextcloud Server 10.0.2
- Content-Spoofing in "files" app (NC-SA-2017-006) 2017-02-05
- Bypassing quota limitation (NC-SA-2017-005) 2017-02-05
- Denial of Service attack (NC-SA-2017-004) 2017-02-05
- Error message discloses existence of file in write-only share (NC-SA-2017-003) 2017-02-05
- Creation of folders in read-only folders despite lacking permissions (NC-SA-2017-002) 2017-02-05
- Permission increase on re-sharing via OCS API (NC-SA-2017-001) 2017-02-05
Nextcloud Server 9.0.55
- Content-Spoofing in "files" app (NC-SA-2017-006) 2017-02-05
- Bypassing quota limitation (NC-SA-2017-005) 2017-02-05
- Denial of Service attack (NC-SA-2017-004) 2017-02-05
- Error message discloses existence of file in write-only share (NC-SA-2017-003) 2017-02-05
- Creation of folders in read-only folders despite lacking permissions (NC-SA-2017-002) 2017-02-05
- Permission increase on re-sharing via OCS API (NC-SA-2017-001) 2017-02-05
2016
Nextcloud Server 10.0.1
- Content-Spoofing in "dav" app (NC-SA-2016-011) 2016-10-10
- Content-Spoofing in "files" app (NC-SA-2016-010) 2016-10-10
- Reflected XSS in Gallery application (NC-SA-2016-009) 2016-10-10
- Stored XSS in CardDAV image export (NC-SA-2016-008) 2016-10-10
- SMB User Authentication Bypass (NC-SA-2016-006) 2016-10-10
Nextcloud Server 9.0.54
- Content-Spoofing in "dav" app (NC-SA-2016-011) 2016-10-10
- Content-Spoofing in "files" app (NC-SA-2016-010) 2016-10-10
- Improper authorization check on removing shares (NC-SA-2016-007) 2016-10-10
- SMB User Authentication Bypass (NC-SA-2016-006) 2016-10-10
Nextcloud Server 10.0.0
Nextcloud Server 9.0.52
- Read-only share recipient can restore old versions of file (NC-SA-2016-005) 2016-07-19
- Edit permission check not enforced on WebDAV COPY action (NC-SA-2016-004) 2016-07-19
- Content-Spoofing in "files" app (NC-SA-2016-003) 2016-07-19
- Log pollution can potentially lead to local HTML injection (NC-SA-2016-002) 2016-07-19
- Stored XSS in "gallery" application (NC-SA-2016-001) 2016-07-19