Security Advisories

Security page | Threat Model

You can follow our advisories via RSS.

2019

Nextcloud Server 15.0.0

Improper share updates could result in extended data access (NC-SA-2019-003) 2019-04-12
Improper access control checks for share expiration date (NC-SA-2019-002) 2019-04-12

Nextcloud Server 14.0.5

Improper share updates could result in extended data access (NC-SA-2019-003) 2019-04-12

Nextcloud Server 13.0.9

Improper share updates could result in extended data access (NC-SA-2019-003) 2019-04-12

Nextcloud Server 14.0.4

Improper access control checks for share expiration date (NC-SA-2019-002) 2019-04-12

Nextcloud Server 13.0.8

Improper access control checks for share expiration date (NC-SA-2019-002) 2019-04-12

Nextcloud Server 12.0.13

Improper access control checks for share expiration date (NC-SA-2019-002) 2019-04-12

2018

Nextcloud Server 14.0.0

Improper access control checks for single share previews (NC-SA-2018-014) 2018-10-25
Session fixation on public share page (NC-SA-2018-013) 2018-10-25
Improper authentication on public shares (NC-SA-2018-012) 2018-10-25
Second factor authentication bypassed if provider fails to load (NC-SA-2018-011) 2018-10-25
Improper validation of permissions (NC-SA-2018-010) 2018-10-25

Nextcloud Server 13.0.6

Improper validation of permissions (NC-SA-2018-010) 2018-10-25

Nextcloud Server 12.0.11

Improper validation of permissions (NC-SA-2018-010) 2018-10-25

Nextcloud Server 13.0.3

Session fixation on public share page (NC-SA-2018-013) 2018-10-25

Nextcloud Server 12.0.8

Session fixation on public share page (NC-SA-2018-013) 2018-10-25

Nextcloud Server 13.0.5

Stored XSS in autocomplete suggestions for file comments (NC-SA-2018-008) 2018-08-10

Talk App 3.2.5

Stored XSS in autocomplete suggestions for chat @-mentions (NC-SA-2018-009) 2018-08-10

Nextcloud Server 12.0.3

Bypass of 2 Factor Authentication (NC-SA-2018-007) 2018-08-03
Improper validation of data passed to JSON encoder (NC-SA-2018-006) 2018-08-03

Nextcloud Server 11.0.5

Improper validation of data passed to JSON encoder (NC-SA-2018-006) 2018-08-03

Nextcloud Server 13.0.3

Improper validation on OAuth2 token endpoint (NC-SA-2018-003) 2018-06-21
File access control rules not applied to image previews (NC-SA-2018-002) 2018-06-21

Nextcloud Server 12.0.8

Improper validation on OAuth2 token endpoint (NC-SA-2018-003) 2018-06-21
File access control rules not applied to image previews (NC-SA-2018-002) 2018-06-21

Calendar App 1.6.1

Stored XSS in calendar via group shares (NC-SA-2018-004) 2018-06-21

Calendar App 1.5.8

Stored XSS in calendar via group shares (NC-SA-2018-004) 2018-06-21

Contacts App 2.1.2

Stored XSS in contacts via group shares (NC-SA-2018-005) 2018-06-21

Nextcloud Server 12.0.5

App password scope can be changed for other users (NC-SA-2018-001) 2018-02-07

Nextcloud Server 11.0.7

App password scope can be changed for other users (NC-SA-2018-001) 2018-02-07

2017

Nextcloud Server 11.0.3

Share tokens for public calendars disclosed (NC-SA-2017-011) 2017-05-08
Stored XSS in Gallery application (NC-SA-2017-010) 2017-05-08
Limitation of app specific password scope can be bypassed (NC-SA-2017-009) 2017-05-08
Reflected XSS in error pages (NC-SA-2017-008) 2017-05-08
DOM XSS vulnerability in search dialogue (NC-SA-2017-007) 2017-05-08

Nextcloud Server 10.0.5

Stored XSS in Gallery application (NC-SA-2017-010) 2017-05-08
Reflected XSS in error pages (NC-SA-2017-008) 2017-05-08

Nextcloud Server 9.0.58

Stored XSS in Gallery application (NC-SA-2017-010) 2017-05-08
Reflected XSS in error pages (NC-SA-2017-008) 2017-05-08

Nextcloud Server 11.0.2

Calendar and addressbook names disclosed (NC-SA-2017-012) 2017-05-08

Nextcloud Server 10.0.4

Calendar and addressbook names disclosed (NC-SA-2017-012) 2017-05-08

Nextcloud Server 10.0.2

Content-Spoofing in "files" app (NC-SA-2017-006) 2017-02-05
Bypassing quota limitation (NC-SA-2017-005) 2017-02-05
Denial of Service attack (NC-SA-2017-004) 2017-02-05
Error message discloses existence of file in write-only share (NC-SA-2017-003) 2017-02-05
Creation of folders in read-only folders despite lacking permissions (NC-SA-2017-002) 2017-02-05
Permission increase on re-sharing via OCS API (NC-SA-2017-001) 2017-02-05

Nextcloud Server 9.0.55

Content-Spoofing in "files" app (NC-SA-2017-006) 2017-02-05
Bypassing quota limitation (NC-SA-2017-005) 2017-02-05
Denial of Service attack (NC-SA-2017-004) 2017-02-05
Error message discloses existence of file in write-only share (NC-SA-2017-003) 2017-02-05
Creation of folders in read-only folders despite lacking permissions (NC-SA-2017-002) 2017-02-05
Permission increase on re-sharing via OCS API (NC-SA-2017-001) 2017-02-05

2016

Nextcloud Server 10.0.1

Content-Spoofing in "dav" app (NC-SA-2016-011) 2016-10-10
Content-Spoofing in "files" app (NC-SA-2016-010) 2016-10-10
Reflected XSS in Gallery application (NC-SA-2016-009) 2016-10-10
Stored XSS in CardDAV image export (NC-SA-2016-008) 2016-10-10
SMB User Authentication Bypass (NC-SA-2016-006) 2016-10-10

Nextcloud Server 9.0.54

Content-Spoofing in "dav" app (NC-SA-2016-011) 2016-10-10
Content-Spoofing in "files" app (NC-SA-2016-010) 2016-10-10
Improper authorization check on removing shares (NC-SA-2016-007) 2016-10-10
SMB User Authentication Bypass (NC-SA-2016-006) 2016-10-10

Nextcloud Server 10.0.0

Improper authorization check on removing shares (NC-SA-2016-007) 2016-10-10

Nextcloud Server 9.0.52

Read-only share recipient can restore old versions of file (NC-SA-2016-005) 2016-07-19
Edit permission check not enforced on WebDAV COPY action (NC-SA-2016-004) 2016-07-19
Content-Spoofing in "files" app (NC-SA-2016-003) 2016-07-19
Log pollution can potentially lead to local HTML injection (NC-SA-2016-002) 2016-07-19
Stored XSS in "gallery" application (NC-SA-2016-001) 2016-07-19

You have javascript disabled. We tried to make sure the basics of our website work but some functionality will be missing.

This website is using cookies. By visiting you agree with our privacy policy. That's Fine