Security Advisories

Security page  |  Threat Model

You can follow our advisories via RSS.

Nextcloud Server


Version 12.0.5

App password scope can be changed for other users

Version 11.0.7

App password scope can be changed for other users

Version 11.0.3

DOM XSS vulnerability in search dialogue
Reflected XSS in error pages
Limitation of app specific password scope can be bypassed
Stored XSS in Gallery application
Share tokens for public calendars disclosed

Version 11.0.2

Calendar and addressbook names disclosed

Version 10.0.5

Reflected XSS in error pages
Stored XSS in Gallery application

Version 10.0.4

Calendar and addressbook names disclosed

Version 10.0.2

Permission increase on re-sharing via OCS API
Creation of folders in read-only folders despite lacking permissions
Error message discloses existence of file in write-only share
Denial of Service attack
Bypassing quota limitation
Content-Spoofing in "files" app

Version 10.0.1

SMB User Authentication Bypass
Stored XSS in CardDAV image export
Reflected XSS in Gallery application
Content-Spoofing in "files" app
Content-Spoofing in "dav" app

Version 10.0.0

Improper authorization check on removing shares

Version 9.0.58

Reflected XSS in error pages
Stored XSS in Gallery application

Version 9.0.55

Permission increase on re-sharing via OCS API
Creation of folders in read-only folders despite lacking permissions
Error message discloses existence of file in write-only share
Denial of Service attack
Bypassing quota limitation
Content-Spoofing in "files" app

Version 9.0.54

SMB User Authentication Bypass
Improper authorization check on removing shares
Content-Spoofing in "files" app
Content-Spoofing in "dav" app

Version 9.0.52

Stored XSS in "gallery" application
Log pollution can potentially lead to local HTML injection
Content-Spoofing in "files" app
Edit permission check not enforced on WebDAV COPY action
Read-only share recipient can restore old versions of file

Desktop Clients


Mobile Clients