You can follow our advisories via RSS.
2021
Desktop Client 3.1.3
Nextcloud Server 20.0.6
- Reflected XSS when renaming malicious file (NC-SA-2021-005) 2021-01-25
- External storage credentials stored for wrong user (NC-SA-2021-004) 2021-01-25
Nextcloud Server 20.0.2
- Stored XSS in markdown file with Nextcloud Talk using Internet Explorer (NC-SA-2021-002) 2020-11-18
- Potential DDoS when posting long data into workflow validation rules (NC-SA-2021-001) 2020-11-18
Nextcloud Server 19.0.5
- Stored XSS in markdown file with Nextcloud Talk using Internet Explorer (NC-SA-2021-002) 2020-11-18
- Potential DDoS when posting long data into workflow validation rules (NC-SA-2021-001) 2020-11-18
Nextcloud Server 18.0.11
- Stored XSS in markdown file with Nextcloud Talk using Internet Explorer (NC-SA-2021-002) 2020-11-18
- Potential DDoS when posting long data into workflow validation rules (NC-SA-2021-001) 2020-11-18
Nextcloud Server 20.0.0
- External storage app saves password for all users in the database (NC-SA-2021-006) 2020-10-03
- Denial of Service by requesting to reset a password (NC-SA-2021-003) 2020-10-03
Deck App 1.0.2
- New users can read all Nextcloud Deck data from previous user with same username (NC-SA-2021-007) 2020-06-03
2020
Contacts App 3.4.1
Contacts App 3.4.0
Social App 0.4.0
- Social App does not validate server certificates for outgoing connections (NC-SA-2020-043) 2020-10-15
- Improper access control to messages of Social app (NC-SA-2020-042) 2020-10-15
Nextcloud Server 20.0.0
- Improper integrity protection of server-side encryption keys (NC-SA-2020-041) 2020-10-03
- Improper confidentiality protection of server-side encryption keys (NC-SA-2020-040) 2020-10-03
Nextcloud Server 19.0.2
- Downgrade encryption scheme and break integrity through known-plaintext attack (NC-SA-2020-039) 2020-08-26
- Message Authentication Codes calculated by the Default Encryption Module allow an attacker to silently overwrite blocks in a file (NC-SA-2020-038) 2020-08-26
Nextcloud Server 18.0.8
Nextcloud Server 17.0.10
Nextcloud Server 19.0.2
Preferred providers 1.8.0
Nextcloud Server 19.0.1
Nextcloud Server 18.0.7
Nextcloud Server 17.0.8
Deck App 1.0.5
- Access control missing while viewing the attachments in the 'All boards' (NC-SA-2020-036) 2020-07-15
Desktop Client 2.6.5
- Missing memory corruption protection on Windows release built (NC-SA-2020-035) 2020-07-10
- Memory Leak in OCUtil.dll library in Desktop client can lead to DoS (NC-SA-2020-034) 2020-07-10
- Linux client is vulnerable to directory traversal when downloading files (NC-SA-2020-032) 2020-07-10
- Clear text storage of proxy parameters and passwords (NC-SA-2020-031) 2020-07-10
- Arbitrary code execution in desktop client via OpenSSL config (NC-SA-2020-030) 2020-07-10
- XSS in desktop client via invalid server address on login form (NC-SA-2020-027) 2020-07-10
Preferred providers 1.7.0
Nextcloud Server 19.0.1
- Password of share by mail is not hashed when given on the create share call (NC-SA-2020-026) 2020-06-04
Nextcloud Server 18.0.6
- Password of share by mail is not hashed when given on the create share call (NC-SA-2020-026) 2020-06-04
Nextcloud Server 19.0.0
Nextcloud Server 18.0.5
Nextcloud Server 17.0.7
Deck App 1.0.1
Talk App 8.0.8
Talk App 7.0.3
Talk App 6.0.5
Contacts App 3.3.0
Deck App 0.8.1
Mail App 1.1.4
Nextcloud Server 18.0.3
- XSS in Files PDF viewer (NC-SA-2020-019) 2020-03-18
- Missing ownership check on remote wipe endpoint (NC-SA-2020-018) 2020-03-18
Nextcloud Server 17.0.5
Desktop Client 2.6.3
Nextcloud Server 18.0.1
Nextcloud Server 17.0.4
Nextcloud Server 16.0.9
Nextcloud Server 17.0.2
Nextcloud Server 16.0.7
Nextcloud Server 15.0.14
Android App 3.9.1
Nextcloud Server 17.0.2
Nextcloud Server 16.0.7
Nextcloud Server 15.0.14
iOS App 2.25.0
Nextcloud Server 17.0.1
Nextcloud Server 17.0.0
Nextcloud Server 16.0.4
Deck App 0.6.6
Talk App 6.0.4
- Name of private conversations leaked when linked via projects to a shared item (NC-SA-2020-011) 2019-07-29
- Improper neutralization of item names in projects feature (NC-SA-2020-009) 2019-07-29
Groupfolders App 4.0.4
Nextcloud Server 16.0.2
Nextcloud Server 15.0.9
Nextcloud Server 14.0.13
Nextcloud Server 15.0.3
Nextcloud Server 14.0.7
Nextcloud Server 13.0.11
Nextcloud Server 15.0.6
Nextcloud Server 14.0.9
Nextcloud Server 14.0.4
Nextcloud Server 13.0.8
Nextcloud Server 12.0.13
2019
iOS App 2.24.0
Nextcloud Server 17.0.1
Nextcloud Server 16.0.6
Nextcloud Server 15.0.13
Circles App 0.17.8
Circles App 0.16.11
Nextcloud Server 15.0.8
Nextcloud Server 14.0.11
Nextcloud Server 16.0.2
Nextcloud Server 15.0.9
Nextcloud Server 14.0.13
Android App 3.7.0
Android App 3.6.2
Android App 3.6.1
- Query restriction bypass on exposed FileContentProvider in Android app (NC-SA-2019-011) 2019-07-26
- Bypass lock protection in Android app (NC-SA-2019-008) 2019-07-26
- Bypass lock protection in Android app (NC-SA-2019-004) 2019-07-26
Android App 3.3.0
Android App 3.0.0
Lookup server 0.3.0
Nextcloud Server 16.0.2
- Server-Side request forgery in New-Subscription feature of the calendar app (NC-SA-2019-014) 2019-07-04
Nextcloud Server 15.0.9
- Server-Side request forgery in New-Subscription feature of the calendar app (NC-SA-2019-014) 2019-07-04
Nextcloud Server 16.0.2
Nextcloud Server 15.0.9
Nextcloud Server 14.0.13
Nextcloud Server 15.0.1
Nextcloud Server 14.0.5
- Improper share updates could result in extended data access (NC-SA-2019-003) 2019-04-12
- Classification of calendar events is ignored by the activity stream (NC-SA-2019-001) 2019-04-12
Nextcloud Server 13.0.9
- Improper share updates could result in extended data access (NC-SA-2019-003) 2019-04-12
- Classification of calendar events is ignored by the activity stream (NC-SA-2019-001) 2019-04-12
Nextcloud Server 15.0.0
- Improper share updates could result in extended data access (NC-SA-2019-003) 2019-04-12
- Improper access control checks for share expiration date (NC-SA-2019-002) 2019-04-12
Nextcloud Server 14.0.4
Nextcloud Server 13.0.8
Nextcloud Server 12.0.13
2018
Android App 3.2.0
Nextcloud Server 14.0.0
- Improper access control checks for single share previews (NC-SA-2018-014) 2018-10-25
- Session fixation on public share page (NC-SA-2018-013) 2018-10-25
- Improper authentication on public shares (NC-SA-2018-012) 2018-10-25
- Second factor authentication bypassed if provider fails to load (NC-SA-2018-011) 2018-10-25
- Improper validation of permissions (NC-SA-2018-010) 2018-10-25
Nextcloud Server 13.0.6
Nextcloud Server 12.0.11
Nextcloud Server 13.0.3
Nextcloud Server 12.0.8
Nextcloud Server 13.0.5
Talk App 3.2.5
Nextcloud Server 12.0.3
- Bypass of 2 Factor Authentication (NC-SA-2018-007) 2018-08-03
- Improper validation of data passed to JSON encoder (NC-SA-2018-006) 2018-08-03
Nextcloud Server 11.0.5
Nextcloud Server 13.0.3
- Improper validation on OAuth2 token endpoint (NC-SA-2018-003) 2018-06-21
- File access control rules not applied to image previews (NC-SA-2018-002) 2018-06-21
Nextcloud Server 12.0.8
- Improper validation on OAuth2 token endpoint (NC-SA-2018-003) 2018-06-21
- File access control rules not applied to image previews (NC-SA-2018-002) 2018-06-21
Calendar App 1.6.1
Calendar App 1.5.8
Contacts App 2.1.2
Nextcloud Server 12.0.5
Nextcloud Server 11.0.7
2017
Nextcloud Server 11.0.3
- Share tokens for public calendars disclosed (NC-SA-2017-011) 2017-05-08
- Stored XSS in Gallery application (NC-SA-2017-010) 2017-05-08
- Limitation of app specific password scope can be bypassed (NC-SA-2017-009) 2017-05-08
- Reflected XSS in error pages (NC-SA-2017-008) 2017-05-08
- DOM XSS vulnerability in search dialogue (NC-SA-2017-007) 2017-05-08
Nextcloud Server 10.0.5
- Stored XSS in Gallery application (NC-SA-2017-010) 2017-05-08
- Reflected XSS in error pages (NC-SA-2017-008) 2017-05-08
Nextcloud Server 9.0.58
- Stored XSS in Gallery application (NC-SA-2017-010) 2017-05-08
- Reflected XSS in error pages (NC-SA-2017-008) 2017-05-08
Nextcloud Server 11.0.2
Nextcloud Server 10.0.4
Nextcloud Server 10.0.2
- Content-Spoofing in "files" app (NC-SA-2017-006) 2017-02-05
- Bypassing quota limitation (NC-SA-2017-005) 2017-02-05
- Denial of Service attack (NC-SA-2017-004) 2017-02-05
- Error message discloses existence of file in write-only share (NC-SA-2017-003) 2017-02-05
- Creation of folders in read-only folders despite lacking permissions (NC-SA-2017-002) 2017-02-05
- Permission increase on re-sharing via OCS API (NC-SA-2017-001) 2017-02-05
Nextcloud Server 9.0.55
- Content-Spoofing in "files" app (NC-SA-2017-006) 2017-02-05
- Bypassing quota limitation (NC-SA-2017-005) 2017-02-05
- Denial of Service attack (NC-SA-2017-004) 2017-02-05
- Error message discloses existence of file in write-only share (NC-SA-2017-003) 2017-02-05
- Creation of folders in read-only folders despite lacking permissions (NC-SA-2017-002) 2017-02-05
- Permission increase on re-sharing via OCS API (NC-SA-2017-001) 2017-02-05
2016
Nextcloud Server 10.0.1
- Content-Spoofing in "dav" app (NC-SA-2016-011) 2016-10-10
- Content-Spoofing in "files" app (NC-SA-2016-010) 2016-10-10
- Reflected XSS in Gallery application (NC-SA-2016-009) 2016-10-10
- Stored XSS in CardDAV image export (NC-SA-2016-008) 2016-10-10
- SMB User Authentication Bypass (NC-SA-2016-006) 2016-10-10
Nextcloud Server 9.0.54
- Content-Spoofing in "dav" app (NC-SA-2016-011) 2016-10-10
- Content-Spoofing in "files" app (NC-SA-2016-010) 2016-10-10
- Improper authorization check on removing shares (NC-SA-2016-007) 2016-10-10
- SMB User Authentication Bypass (NC-SA-2016-006) 2016-10-10
Nextcloud Server 10.0.0
Nextcloud Server 9.0.52
- Read-only share recipient can restore old versions of file (NC-SA-2016-005) 2016-07-19
- Edit permission check not enforced on WebDAV COPY action (NC-SA-2016-004) 2016-07-19
- Content-Spoofing in "files" app (NC-SA-2016-003) 2016-07-19
- Log pollution can potentially lead to local HTML injection (NC-SA-2016-002) 2016-07-19
- Stored XSS in "gallery" application (NC-SA-2016-001) 2016-07-19