Security Advisories

Security page | Threat Model

You can follow our advisories via RSS.

2020

Mail App 1.1.4

Mail app not verifying TLS host of mail servers (NC-SA-2020-020) 2020-03-24

Nextcloud Server 18.0.3

XSS in Files PDF viewer (NC-SA-2020-019) 2020-03-18
Missing ownership check on remote wipe endpoint (NC-SA-2020-018) 2020-03-18

Nextcloud Server 17.0.5

Missing ownership check on remote wipe endpoint (NC-SA-2020-018) 2020-03-18

Desktop Client 2.6.3

Code injection in Nextcloud Desktop Client for macOS (NC-SA-2020-016) 2020-02-17

Nextcloud Server 18.0.1

Secure view shares can be downloaded by manipulating the URL (NC-SA-2020-015) 2020-02-07

Nextcloud Server 17.0.4

Secure view shares can be downloaded by manipulating the URL (NC-SA-2020-015) 2020-02-07

Nextcloud Server 16.0.9

Secure view shares can be downloaded by manipulating the URL (NC-SA-2020-015) 2020-02-07

Nextcloud Server 17.0.2

SSRF protection bypass in calendar subscriptions (NC-SA-2020-014) 2019-12-12

Nextcloud Server 16.0.7

SSRF protection bypass in calendar subscriptions (NC-SA-2020-014) 2019-12-12

Nextcloud Server 15.0.14

SSRF protection bypass in calendar subscriptions (NC-SA-2020-014) 2019-12-12

Android App 3.9.1

Bypass lock protection in Android app (NC-SA-2020-004) 2019-12-05

Nextcloud Server 17.0.2

Workflow rules only check the file extension for the mimetype instead of the content (NC-SA-2020-002) 2019-12-04

Nextcloud Server 16.0.7

Workflow rules only check the file extension for the mimetype instead of the content (NC-SA-2020-002) 2019-12-04

Nextcloud Server 15.0.14

Workflow rules only check the file extension for the mimetype instead of the content (NC-SA-2020-002) 2019-12-04

iOS App 2.25.0

Missing sanitization in iOS App allows XSS (NC-SA-2020-003) 2019-11-20

Nextcloud Server 17.0.1

Duplicate setup of second factor allowed (NC-SA-2020-006) 2019-10-25

Nextcloud Server 17.0.0

Missing default timeout on HTTP requests (NC-SA-2020-005) 2019-09-04

Nextcloud Server 16.0.4

Improper neutralization of item names in projects feature (NC-SA-2020-008) 2019-07-29

Deck App 0.6.6

Improper neutralization of item names in projects feature (NC-SA-2020-010) 2019-07-29

Talk App 6.0.4

Groupfolders App 4.0.4

Renaming an item to a protected hidden folder deletes the target (NC-SA-2020-017) 2019-07-15

Nextcloud Server 16.0.2

Improper permission preservation on reshares (NC-SA-2020-012) 2019-06-27

Nextcloud Server 15.0.9

Improper permission preservation on reshares (NC-SA-2020-012) 2019-06-27

Nextcloud Server 14.0.13

Improper permission preservation on reshares (NC-SA-2020-012) 2019-06-27

Nextcloud Server 15.0.3

2FA sessions not properly expired on password change (NC-SA-2020-001) 2019-04-01

Nextcloud Server 14.0.7

2FA sessions not properly expired on password change (NC-SA-2020-001) 2019-04-01

Nextcloud Server 13.0.11

2FA sessions not properly expired on password change (NC-SA-2020-001) 2019-04-01

Nextcloud Server 15.0.6

Reflected XSS in redirect of the Updater (NC-SA-2020-007) 2019-03-26

Nextcloud Server 14.0.9

Reflected XSS in redirect of the Updater (NC-SA-2020-007) 2019-03-26

Nextcloud Server 14.0.4

Event details leaked when sharing a non-public calendar event (NC-SA-2020-013) 2018-11-15

Nextcloud Server 13.0.8

Event details leaked when sharing a non-public calendar event (NC-SA-2020-013) 2018-11-15

Nextcloud Server 12.0.13

Event details leaked when sharing a non-public calendar event (NC-SA-2020-013) 2018-11-15

2019

iOS App 2.24.0

Login and token disclosure to other Nextcloud services (NC-SA-2019-017) 2019-11-12

Nextcloud Server 17.0.1

File-drop content is visible through the gallery app (NC-SA-2019-012) 2019-10-22

Nextcloud Server 16.0.6

File-drop content is visible through the gallery app (NC-SA-2019-012) 2019-10-22

Nextcloud Server 15.0.13

File-drop content is visible through the gallery app (NC-SA-2019-012) 2019-10-22

Circles App 0.17.8

Removing emails from circles does not revoke access to shared items (NC-SA-2019-013) 2019-10-06

Circles App 0.16.11

Removing emails from circles does not revoke access to shared items (NC-SA-2019-013) 2019-10-06

Nextcloud Server 15.0.8

Group admins can create users with IDs of system folders (NC-SA-2019-015) 2019-08-12

Nextcloud Server 14.0.11

Group admins can create users with IDs of system folders (NC-SA-2019-015) 2019-08-12

Nextcloud Server 16.0.2

Reflected XSS in svg logo generation (NC-SA-2019-018) 2019-08-02

Nextcloud Server 15.0.9

Reflected XSS in svg logo generation (NC-SA-2019-018) 2019-08-02

Nextcloud Server 14.0.13

Reflected XSS in svg logo generation (NC-SA-2019-018) 2019-08-02

Android App 3.7.0

Improper sanitization of HTML in directory names (NC-SA-2019-009) 2019-07-26

Android App 3.6.2

Thumbnails of files leaked via Android content provider (NC-SA-2019-007) 2019-07-26

Android App 3.6.1

Query restriction bypass on exposed FileContentProvider in Android app (NC-SA-2019-011) 2019-07-26
Bypass lock protection in Android app (NC-SA-2019-008) 2019-07-26
Bypass lock protection in Android app (NC-SA-2019-004) 2019-07-26

Android App 3.3.0

Bypass lock protection in Android app (NC-SA-2019-006) 2019-07-26

Android App 3.0.0

SQL injection in Android app content provider (NC-SA-2019-005) 2019-07-26

Lookup server 0.3.0

SQL Injection in lookup-server (NC-SA-2019-010) 2019-07-26

Nextcloud Server 16.0.2

Server-Side request forgery in New-Subscription feature of the calendar app (NC-SA-2019-014) 2019-07-04

Nextcloud Server 15.0.9

Server-Side request forgery in New-Subscription feature of the calendar app (NC-SA-2019-014) 2019-07-04

Nextcloud Server 16.0.2

User IDs and Nextcloud server leaked to Nextcloud Lookup server with disabled settings (NC-SA-2019-016) 2019-06-26

Nextcloud Server 15.0.9

User IDs and Nextcloud server leaked to Nextcloud Lookup server with disabled settings (NC-SA-2019-016) 2019-06-26

Nextcloud Server 14.0.13

User IDs and Nextcloud server leaked to Nextcloud Lookup server with disabled settings (NC-SA-2019-016) 2019-06-26

Nextcloud Server 15.0.1

Classification of calendar events is ignored by the activity stream (NC-SA-2019-001) 2019-04-12

Nextcloud Server 14.0.5

Nextcloud Server 13.0.9

Nextcloud Server 15.0.0

Nextcloud Server 14.0.4

Improper access control checks for share expiration date (NC-SA-2019-002) 2019-04-12

Nextcloud Server 13.0.8

Improper access control checks for share expiration date (NC-SA-2019-002) 2019-04-12

Nextcloud Server 12.0.13

Improper access control checks for share expiration date (NC-SA-2019-002) 2019-04-12

2018

Android App 3.2.0

Improper check for access to application database (NC-SA-2018-015) 2019-07-26

Nextcloud Server 14.0.0

Improper access control checks for single share previews (NC-SA-2018-014) 2018-10-25
Session fixation on public share page (NC-SA-2018-013) 2018-10-25
Improper authentication on public shares (NC-SA-2018-012) 2018-10-25
Second factor authentication bypassed if provider fails to load (NC-SA-2018-011) 2018-10-25
Improper validation of permissions (NC-SA-2018-010) 2018-10-25

Nextcloud Server 13.0.6

Improper validation of permissions (NC-SA-2018-010) 2018-10-25

Nextcloud Server 12.0.11

Improper validation of permissions (NC-SA-2018-010) 2018-10-25

Nextcloud Server 13.0.3

Session fixation on public share page (NC-SA-2018-013) 2018-10-25

Nextcloud Server 12.0.8

Session fixation on public share page (NC-SA-2018-013) 2018-10-25

Nextcloud Server 13.0.5

Stored XSS in autocomplete suggestions for file comments (NC-SA-2018-008) 2018-08-10

Talk App 3.2.5

Stored XSS in autocomplete suggestions for chat @-mentions (NC-SA-2018-009) 2018-08-10

Nextcloud Server 12.0.3

Bypass of 2 Factor Authentication (NC-SA-2018-007) 2018-08-03
Improper validation of data passed to JSON encoder (NC-SA-2018-006) 2018-08-03

Nextcloud Server 11.0.5

Improper validation of data passed to JSON encoder (NC-SA-2018-006) 2018-08-03

Nextcloud Server 13.0.3

Improper validation on OAuth2 token endpoint (NC-SA-2018-003) 2018-06-21
File access control rules not applied to image previews (NC-SA-2018-002) 2018-06-21

Nextcloud Server 12.0.8

Improper validation on OAuth2 token endpoint (NC-SA-2018-003) 2018-06-21
File access control rules not applied to image previews (NC-SA-2018-002) 2018-06-21

Calendar App 1.6.1

Stored XSS in calendar via group shares (NC-SA-2018-004) 2018-06-21

Calendar App 1.5.8

Stored XSS in calendar via group shares (NC-SA-2018-004) 2018-06-21

Contacts App 2.1.2

Stored XSS in contacts via group shares (NC-SA-2018-005) 2018-06-21

Nextcloud Server 12.0.5

App password scope can be changed for other users (NC-SA-2018-001) 2018-02-07

Nextcloud Server 11.0.7

App password scope can be changed for other users (NC-SA-2018-001) 2018-02-07

2017

Nextcloud Server 11.0.3

Share tokens for public calendars disclosed (NC-SA-2017-011) 2017-05-08
Stored XSS in Gallery application (NC-SA-2017-010) 2017-05-08
Limitation of app specific password scope can be bypassed (NC-SA-2017-009) 2017-05-08
Reflected XSS in error pages (NC-SA-2017-008) 2017-05-08
DOM XSS vulnerability in search dialogue (NC-SA-2017-007) 2017-05-08

Nextcloud Server 10.0.5

Stored XSS in Gallery application (NC-SA-2017-010) 2017-05-08
Reflected XSS in error pages (NC-SA-2017-008) 2017-05-08

Nextcloud Server 9.0.58

Stored XSS in Gallery application (NC-SA-2017-010) 2017-05-08
Reflected XSS in error pages (NC-SA-2017-008) 2017-05-08

Nextcloud Server 11.0.2

Calendar and addressbook names disclosed (NC-SA-2017-012) 2017-05-08

Nextcloud Server 10.0.4

Calendar and addressbook names disclosed (NC-SA-2017-012) 2017-05-08

Nextcloud Server 10.0.2

Content-Spoofing in "files" app (NC-SA-2017-006) 2017-02-05
Bypassing quota limitation (NC-SA-2017-005) 2017-02-05
Denial of Service attack (NC-SA-2017-004) 2017-02-05
Error message discloses existence of file in write-only share (NC-SA-2017-003) 2017-02-05
Creation of folders in read-only folders despite lacking permissions (NC-SA-2017-002) 2017-02-05
Permission increase on re-sharing via OCS API (NC-SA-2017-001) 2017-02-05

Nextcloud Server 9.0.55

Content-Spoofing in "files" app (NC-SA-2017-006) 2017-02-05
Bypassing quota limitation (NC-SA-2017-005) 2017-02-05
Denial of Service attack (NC-SA-2017-004) 2017-02-05
Error message discloses existence of file in write-only share (NC-SA-2017-003) 2017-02-05
Creation of folders in read-only folders despite lacking permissions (NC-SA-2017-002) 2017-02-05
Permission increase on re-sharing via OCS API (NC-SA-2017-001) 2017-02-05

2016

Nextcloud Server 9.0.54

Content-Spoofing in "dav" app (NC-SA-2016-011) 2016-10-10
Content-Spoofing in "files" app (NC-SA-2016-010) 2016-10-10
Improper authorization check on removing shares (NC-SA-2016-007) 2016-10-10
SMB User Authentication Bypass (NC-SA-2016-006) 2016-10-10

Nextcloud Server 10.0.1

Content-Spoofing in "dav" app (NC-SA-2016-011) 2016-10-10
Content-Spoofing in "files" app (NC-SA-2016-010) 2016-10-10
Reflected XSS in Gallery application (NC-SA-2016-009) 2016-10-10
Stored XSS in CardDAV image export (NC-SA-2016-008) 2016-10-10
SMB User Authentication Bypass (NC-SA-2016-006) 2016-10-10

Nextcloud Server 10.0.0

Improper authorization check on removing shares (NC-SA-2016-007) 2016-10-10

Nextcloud Server 9.0.52

Read-only share recipient can restore old versions of file (NC-SA-2016-005) 2016-07-19
Edit permission check not enforced on WebDAV COPY action (NC-SA-2016-004) 2016-07-19
Content-Spoofing in "files" app (NC-SA-2016-003) 2016-07-19
Log pollution can potentially lead to local HTML injection (NC-SA-2016-002) 2016-07-19
Stored XSS in "gallery" application (NC-SA-2016-001) 2016-07-19

You have javascript disabled. We tried to make sure the basics of our website work but some functionality will be missing.

This website is using cookies. By visiting you agree with our privacy policy. That's Fine