TOPNEXTCLOUD.md

Top reports from Nextcloud program at HackerOne:

1. Code injection possible with malformed Nextcloud Talk chat commands to Nextcloud - 315 upvotes, $0
2. User can delete data in shared folders he's not autorized to access to Nextcloud - 167 upvotes, $0
3. Access to all files of remote user through shared file to Nextcloud - 149 upvotes, $0
4. Attacker can obtain write access to any federated share/public link to Nextcloud - 138 upvotes, $4000
5. Missing ownership check on remote wipe endpoint to Nextcloud - 134 upvotes, $500
6. Remote Code Execution via Extract App Plugin to Nextcloud - 123 upvotes, $0
7. Re-Sharing allows increase of privileges to Nextcloud - 91 upvotes, $0
8. No rate limiting for confirmation email lead to huge Mass mailings to Nextcloud - 78 upvotes, $0
9. User deletion is not handled properly everywhere to Nextcloud - 77 upvotes, $1000
10. RCE on Wordpress website to Nextcloud - 76 upvotes, $0
11. Arbitrary SQL command injection to Nextcloud - 74 upvotes, $0
12. Nextcloud Desktop Client RCE via malicious URI schemes to Nextcloud - 72 upvotes, $1000
13. CSRF protection on OIDC login is broken to Nextcloud - 72 upvotes, $500
14. File-drop content is visible through the gallery app to Nextcloud - 68 upvotes, $0
15. ID4me feature of OpenID connect app available even when disabled to Nextcloud - 60 upvotes, $0
16. Arbitrary code execution in desktop client via OpenSSL config to Nextcloud - 59 upvotes, $100
17. Extremly simple way to bypass Nextcloud-Client PIN/Fingerprint lock to Nextcloud - 58 upvotes, $0
18. Default Nextcloud Server and Android Client leak sharee searches to Nextcloud to Nextcloud - 56 upvotes, $750
19. Two-factor authentication enforcement bypass to Nextcloud - 55 upvotes, $750
20. Clear text storage of proxy parameters and passwords to Nextcloud - 53 upvotes, $0
21. Basic auth header on WebDAV requests is not bruteforce protected to Nextcloud - 51 upvotes, $0
22. Authentication bypass in Global Site Selector allows an attacker to log in as any user to Nextcloud - 50 upvotes, $0
23. XSS in Desktop Client in the notifications to Nextcloud - 49 upvotes, $750
24. Stored XSS in collabora via user name to Nextcloud - 48 upvotes, $0
25. Download permissions can be changed by resharer to Nextcloud - 46 upvotes, $500
26. Inviting excessive long email addresses to a calendar event makes the server unresponsive to Nextcloud - 46 upvotes, $0
27. Password reset endpoint is not brute force protected to Nextcloud - 44 upvotes, $500
28. Notes app can be tricked into using a received share created before the user logged in to Nextcloud - 44 upvotes, $0
29. SSL certificate not validated when registering with a provider to Nextcloud - 43 upvotes, $300
30. OAuth2 "authorization_code" is valid indefinetly to Nextcloud - 43 upvotes, $100
31. End-to-end encrypted file-drops can be made inaccessible to Nextcloud - 41 upvotes, $400
32. Events information leaked with shared calendars on recurrence exceptions to Nextcloud - 41 upvotes, $100
33. Delete external storage of any user to Nextcloud - 41 upvotes, $0
34. Memory Leak in OCUtil.dll library in Desktop client can lead to DoS to Nextcloud - 40 upvotes, $100
35. http://www.nextcloud.com/wp-includes/js/swfupload/swfupload.swf allows open redirect / site defacement to Nextcloud - 40 upvotes, $0
36. Scoped apptokens can be changed by that very apptoken to Nextcloud - 38 upvotes, $1000
37. Remote code execution via path traversal in Zip extraction in the Extract app to Nextcloud - 38 upvotes, $0
38. [Reflected XSS] In Request URL to Nextcloud - 37 upvotes, $0
39. No password length limit when creating a user as an administrator to Nextcloud - 37 upvotes, $0
40. Path traversal allows tricking the Talk Android app into writing files into it's root directory to Nextcloud - 37 upvotes, $0
41. xmlrpc.php &wp-cron.php files are enabled, and will used for (DDOS),(DOS) and broutforce users attack. to Nextcloud - 37 upvotes, $0
42. Can download files by zipping the folder to Nextcloud - 37 upvotes, $0
43. Expired reshare links allow access to all files in share to Nextcloud - 36 upvotes, $0
44. DNS pin middleware can be tricked into DNS rebinding allowing SSRF to Nextcloud - 36 upvotes, $0
45. Blind SSRF in Mail App to Nextcloud - 36 upvotes, $0
46. Arbitrary read of all SVG files on a Nextcloud server to Nextcloud - 35 upvotes, $1250
47. No session logout after changing password & alsoandroid sessions not shown in sessions list so they can be deleted to Nextcloud - 35 upvotes, $0
48. Brute force protection allows to send more requests than intended to Nextcloud - 34 upvotes, $500
49. Read-only users can restore old versions to Nextcloud - 34 upvotes, $500
50. User can copy locked folders and gain access to the contents to Nextcloud - 34 upvotes, $500
51. Code injection in Nextcloud Desktop Client for macOS to Nextcloud - 34 upvotes, $250
52. 2FA Session not expires after the password reset to Nextcloud - 34 upvotes, $50
53. Invisible Salamanders Attack against end_to_end_encryption in Nextcloud to Nextcloud - 34 upvotes, $0
54. SQL Injection found in NextCloud Android App Content Provider to Nextcloud - 33 upvotes, $150
55. Cross site scripting - XSRF Token to Nextcloud - 32 upvotes, $0
56. Weak ssh algorithms and CVE-2023-48795 Discovered on various subdomains of nextcloud.com to Nextcloud - 32 upvotes, $0
57. OAuth2 client_secret stored in plain text in the database to Nextcloud - 31 upvotes, $100
58. SSRF via filter bypass due to lax checking on IPs to Nextcloud - 30 upvotes, $250
59. Passwords being stored as plain text in logging to Nextcloud - 30 upvotes, $0
60. Group admins can remove arbitrary data from "data" directory (including admin data) to Nextcloud - 30 upvotes, $0
61. SSRF via potential filter bypass with too lax local domain checking to Nextcloud - 29 upvotes, $250
62. Mail auto configurator can be tricked into sending account information to wrong servers to Nextcloud - 29 upvotes, $100
63. I am because bug to Nextcloud - 29 upvotes, $0
64. Ability to read any emails through IDOR on Nextcloud Mail to Nextcloud - 29 upvotes, $0
65. ID4ME does not validate signature or expiration to Nextcloud - 28 upvotes, $750
66. Reflected XSS in error pages (NC-SA-2017-008) to Nextcloud - 28 upvotes, $450
67. Code injection in macOS Desktop Client to Nextcloud - 28 upvotes, $0
68. Database error shown to the user when using a long guest name in richdocuments to Nextcloud - 28 upvotes, $0
69. Bruteforce protection in password verification can be bypassed to Nextcloud - 28 upvotes, $0
70. App PIN code can be bypassed in Files iOS to Nextcloud - 27 upvotes, $100
71. CSRF vulnerability that allows an attacker to modify encryption settings to Nextcloud - 27 upvotes, $0
72. Password of talk conversations can be bruteforced to Nextcloud - 27 upvotes, $0
73. user_ldap app logs user passwords in the log file on level debug to Nextcloud - 27 upvotes, $0
74. Open redirect when logging in with user_oidc to Nextcloud - 27 upvotes, $0
75. Admins can change authentication details of user configured external storage to Nextcloud - 26 upvotes, $100
76. Can reshare read&share only folder with more permissions to Nextcloud - 25 upvotes, $750
77. Blind Stored XSS on iOS App due to Unsanitized Webview to Nextcloud - 25 upvotes, $100
78. Bypass password confirmation via Context-dependent access control (CDCA) to Nextcloud - 25 upvotes, $100
79. SMTP Command Injection in Appointment Emails via Newlines to Nextcloud - 25 upvotes, $0
80. Passcode bypass on Talk Android app to Nextcloud - 25 upvotes, $0
81. Enabling Birthday Contact to any user to Nextcloud - 25 upvotes, $0
82. HTML injection in search UI when selecting a circle with HTML in the display name to Nextcloud - 25 upvotes, $0
83. XSS in PDF Viewer to Nextcloud - 24 upvotes, $100
84. Profile of disabled user stays accessible to Nextcloud - 24 upvotes, $100
85. Leak arbitrary file under nextcloud android client privacy directory to Nextcloud - 24 upvotes, $0
86. Cards in Deck are readable by any user to Nextcloud - 24 upvotes, $0
87. Attachments folder for Text app is accessible on Files Drop/Password protected shares to Nextcloud - 24 upvotes, $0
88. External storage - global credentials returned to the client side in plaintext to Nextcloud - 24 upvotes, $0
89. Event create can create attachments that link to other websites to Nextcloud - 23 upvotes, $250
90. Persistent XSS via filename in projects to Nextcloud - 23 upvotes, $150
91. Bypass of privacy filter / tracking pixel blocker to Nextcloud - 23 upvotes, $100
92. Ratelimiting can be bypassed using IPv6 subnets to Nextcloud - 23 upvotes, $0
93. Missing brute force protection on password confirmation modal to Nextcloud - 23 upvotes, $0
94. Ability to by-pass second factor to Nextcloud - 22 upvotes, $1000
95. Session fixation on public talk links to Nextcloud - 22 upvotes, $100
96. Stored XSS on Share-popup of a directory's Gallery-view to Nextcloud - 22 upvotes, $0
97. IDOR unsubscribe Anyone from NextClouds Newsletters by knowing their Email to Nextcloud - 22 upvotes, $0
98. https://help.nextcloud.com::: Web cache poisoning attack to Nextcloud - 22 upvotes, $0
99. "Secure View" aka "Hide Download" can be bypassed easily to Nextcloud - 22 upvotes, $0
100. Error in Booking an appointment reveals the full path of the website to Nextcloud - 22 upvotes, $0
101. Improper restriction of excessive authentication attempts on WebDAV endpoint to Nextcloud - 22 upvotes, $0
102. Non-admin users can reset app allowlist to the default to Nextcloud - 22 upvotes, $0
103. Improper handling of request URLs in nextcloud/guests allows guest users to bypass app allowlist to Nextcloud - 22 upvotes, $0
104. Nextcloud Tables app - inserting rows to an arbitrary table possible to Nextcloud - 22 upvotes, $0
105. Share information of Tables app is not limited to affected users to Nextcloud - 22 upvotes, $0
106. Re-emergence of Security Vulnerability in Nextcloud Version 28 Previously Fixed in 25.0.4 to Nextcloud - 21 upvotes, $500
107. CSRF vulnerability in Nextcloud Desktop Client 3.6.1 on Windows when clicking malicious link to Nextcloud - 21 upvotes, $0
108. Username and Access Token Disclousure to Nextcloud - 20 upvotes, $250
109. Gallery: No feedback for invalid password to Nextcloud - 20 upvotes, $50
110. Session fixation in password protected public download. to Nextcloud - 20 upvotes, $0
111. XSS through image upload of contacts using svg file with png extension to Nextcloud - 20 upvotes, $0
112. SMTP Command Injection in iCalendar Attachments to Emails via Newlines to Nextcloud - 20 upvotes, $0
113. Self XSS when sending HTML as a comment in the Deck app to Nextcloud - 20 upvotes, $0
114. Open redirect in user_saml via RelayState parameter to Nextcloud - 20 upvotes, $0
115. Lack of bruteforce protection for TOTP 2FA to Nextcloud - 19 upvotes, $750
116. Missing brute force protection on OAuth2 API controller to Nextcloud - 19 upvotes, $500
117. Notification implicit PendingIntent in com.nextcloud.client allows to access contacts to Nextcloud - 19 upvotes, $250
118. SQLi allow query restriction bypass on exposed FileContentProvider to Nextcloud - 19 upvotes, $100
119. XSS through image upload of contacts using svg file to Nextcloud - 19 upvotes, $100
120. OAuth2 Access Token and App Password Security Vulnerability to Nextcloud - 19 upvotes, $0
121. bypass of 2FA to Nextcloud - 19 upvotes, $0
122. Denial of Service by requesting to reset a password to Nextcloud - 19 upvotes, $0
123. [user_oidc] Unencrypted Communications to Nextcloud - 19 upvotes, $0
124. User scoped external storage can be used to gather credentials of other users to Nextcloud - 19 upvotes, $0
125. Memcached used as RateLimiter backend is no-op to Nextcloud - 19 upvotes, $0
126. Self XSS when pasting HTML into Text app with Ctrl+Shift+V to Nextcloud - 19 upvotes, $0
127. Access control missing while viewing the attachments in the "All boards" to Nextcloud - 18 upvotes, $150
128. SSRF protection bypass to Nextcloud - 18 upvotes, $100
129. Server side request forgery (SSRF) on nextcloud implementation. to Nextcloud - 18 upvotes, $0
130. Log pollution can lead to HTML Injection. to Nextcloud - 18 upvotes, $0
131. Folder architecture and Filesizes of private file drop shares can be getten to Nextcloud - 18 upvotes, $0
132. [user_oidc] Stored XSS via Authorization Endpoint - Safari-Only to Nextcloud - 18 upvotes, $0
133. Clients do not verify server public key to Nextcloud - 17 upvotes, $250
134. Sensitive files/ data exists post deletion of user account to Nextcloud - 17 upvotes, $150
135. Access control issue -- [Allow file system access not validated when using session auth] to Nextcloud - 17 upvotes, $100
136. Unrestricted file upload on the image of contacts to Nextcloud - 17 upvotes, $100
137. Reflected XSS when renaming a file with a vulnerable name which results in an error to Nextcloud - 17 upvotes, $100
138. Ransomware protection is missing extentions take 2 to Nextcloud - 17 upvotes, $100
139. public webdav endpoint not bruteforce protected to Nextcloud - 17 upvotes, $100
140. Authentication Issue to Nextcloud - 17 upvotes, $50
141. Response Header injection using redirect_uri together with PHP that utilizes Header Folding according to RFC1945 and Internet Explorer 11 to Nextcloud - 17 upvotes, $0
142. https://xmpp.nextcloud.com///;@www.google.com allows open redirect to Nextcloud - 17 upvotes, $0
143. Reflected XSS / Markup Injection in index.php/svg/core/logo/logo parameter color to Nextcloud - 17 upvotes, $0
144. User with read-only access to a share can gain write access to sub-folders in the share to Nextcloud - 17 upvotes, $0
145. Full Passcode bypass on Nextcloud App iOS to Nextcloud - 17 upvotes, $0
146. Missing brute force protection for passwords of password protected share links to Nextcloud - 17 upvotes, $0
147. X-E2EE-SIGNATURE verification can be bypassed, leading to loss of confidentiality of end-to-end encrypted files to Nextcloud - 17 upvotes, $0
148. DOM XSS vulnerability in search dialogue (NC-SA-2017-007) to Nextcloud - 16 upvotes, $250
149. Unauthenticated SSRF in 3rd party module "cerdic/csstidy" to Nextcloud - 16 upvotes, $250
150. Registered users can change app password permissions for any user to Nextcloud - 16 upvotes, $100
151. Possible denial of service when entering a loooong password to Nextcloud - 16 upvotes, $100
152. XSS in desktop client via invalid server address on login form to Nextcloud - 16 upvotes, $0
153. Possible denial of service when entering a loooong password to Nextcloud - 16 upvotes, $0
154. Missing server side controls when editing the board’s sharing permissions per user to Nextcloud - 16 upvotes, $0
155. Password disclosure in initial setup of Mail App to Nextcloud - 16 upvotes, $0
156. Possibility to delete files attached to deck cards of other users to Nextcloud - 16 upvotes, $0
157. App pin of the Android app can be bypassed via 3rdparty apps generating deep links to Nextcloud - 16 upvotes, $0
158. Android - Possible to intercept broadcasts about uploaded files to Nextcloud - 15 upvotes, $0
159. Email Spoofing Vulnerability from nextcloud. to Nextcloud - 15 upvotes, $0
160. Non-admin users can trigger writes to memcached by entering a malicious server as a share URL to Nextcloud - 15 upvotes, $0
161. When sharing a Deck card in conversation the metaData can be manipulated to open arbitrary URL to Nextcloud - 15 upvotes, $0
162. Talk Android broadcast receiver is not protected by broadcastPermission allowing malicious apps to communicate to Nextcloud - 15 upvotes, $0
163. Guests can continue to receive video streams from call after being removed from a conversation to Nextcloud - 15 upvotes, $0
164. HEIC image preview can be used to invoke Imagick to Nextcloud - 15 upvotes, $0
165. Suspicious login app ships old league/flysystem version to Nextcloud - 15 upvotes, $0
166. Messages can still be seen on conversation after expiring when cron is misconfigured to Nextcloud - 15 upvotes, $0
167. Users can set up workflows using restricted and invisible system tags to Nextcloud - 15 upvotes, $0
168. Error when editing a calendar appointment returns stacktrace and query to Nextcloud - 15 upvotes, $0
169. File drop public link can also be converted to federated share to Nextcloud - 14 upvotes, $500
170. Incomplete sanitization in SVG preview provider to Nextcloud - 14 upvotes, $250
171. Combination of content provider allows private data disclosure to Nextcloud - 14 upvotes, $100
172. Unauthenticated Stored xss to Nextcloud - 14 upvotes, $0
173. Content Spoofing /Text Injection in https://docs.nextcloud.com to Nextcloud - 14 upvotes, $0
174. Nextcloud domain and name of every user leaked to lookup server to Nextcloud - 14 upvotes, $0
175. xmlrpc.php is enabled - Nextcloud to Nextcloud - 14 upvotes, $0
176. Nextcloud 10.0 privilege escalation issue - Normal user can mask external storage shared by admin to Nextcloud - 14 upvotes, $0
177. Docker image with FPM is vulnerable to CVE-2019-11043 to Nextcloud - 14 upvotes, $0
178. Access Control: Inject tasks into other users decks to Nextcloud - 14 upvotes, $0
179. Disabled download shares still allow download through preview images to Nextcloud - 14 upvotes, $0
180. Chat room member disclosure via autocomplete API to Nextcloud - 14 upvotes, $0
181. Twitter Account hijack @nextcloudfrance to Nextcloud - 14 upvotes, $0
182. Blind SSRF as normal user from mailapp to Nextcloud - 14 upvotes, $0
183. see card comments after remove shared board to Nextcloud - 14 upvotes, $0
184. Missing permission check when removing a photo from an album to Nextcloud - 14 upvotes, $0
185. End to end encryption public key is not properly verified on Desktop and Android to Nextcloud - 13 upvotes, $1500
186. Linux client is vulnerable to directory traversal when downloading files to Nextcloud - 13 upvotes, $250
187. Database resource exhaustion for logged-in users via sharee recommendations with circles to Nextcloud - 13 upvotes, $250
188. Virtual Data Room / Hide download on collabora is easy to bypass to Nextcloud - 13 upvotes, $150
189. Android app does not clear end to end encryption keys to Nextcloud - 13 upvotes, $100
190. Talk / spreed: Disclosure of Room names and participants for password protected rooms to Nextcloud - 13 upvotes, $50
191. Design Issues on ( ███ ) Lead to show ( IPS of Users ) to Nextcloud - 13 upvotes, $0
192. Content Spoofing/Text Injection in https://demo.nextcloud.com to Nextcloud - 13 upvotes, $0
193. Delete permission can be added on reshare to Nextcloud - 13 upvotes, $0
194. Exposing debug.log file leads to server full path disclosure to Nextcloud - 13 upvotes, $0
195. Only the file extensions are checked, not the MIME types as configured to Nextcloud - 13 upvotes, $0
196. No rate limiting on sinup page to Nextcloud - 13 upvotes, $0
197. Take over a mail account due missing validation of account id to Nextcloud - 13 upvotes, $0
198. Exposed Log File Lead to Full Internal path disclosure at [https://nextcloud.com/wp-content/debug.log] to Nextcloud - 13 upvotes, $0
199. Reference caching can leak data to unauthorized users to Nextcloud - 13 upvotes, $0
200. Reflected XSS vulnerability with full CSP bypass in Nextcloud installations using recommended bundle to Nextcloud - 13 upvotes, $0
201. Responsive Server-side Request Forgery (SSRF) to Nextcloud - 13 upvotes, $0
202. Missing rate limiting on password reset functionality allows to send lot of emails to Nextcloud - 12 upvotes, $100
203. Bypassing lock protection to Nextcloud - 12 upvotes, $50
204. WordPress <= 4.6.1 Stored XSS Via Theme File to Nextcloud - 12 upvotes, $0
205. Disclosure of administrators via JSON on nextcloud.com Wordpress to Nextcloud - 12 upvotes, $0
206. Wordpress 4.7.1 to Nextcloud - 12 upvotes, $0
207. https://portal.nextcloud.com/.htaccess file is readable to Nextcloud - 12 upvotes, $0
208. Remote attacker can impersonate Social users via ActivityPub API to Nextcloud - 12 upvotes, $0
209. Predictable Random Number Generator to Nextcloud - 12 upvotes, $0
210. Able to bypass "Device credentials" Lock to Nextcloud - 12 upvotes, $0
211. Stored XSS in markdown file with Nextcloud Talk using Internet Explorer to Nextcloud - 12 upvotes, $0
212. Lack of Brute force protection while joining video call in talk section which is password protected to Nextcloud - 12 upvotes, $0
213. Information exposure in in guzzlehttp/guzzle (https://github.com/nextcloud/3rdparty/tree/master/guzzlehttp/guzzle) to Nextcloud - 12 upvotes, $0
214. Missing length validation of user displayname allows to generate an SQL error to Nextcloud - 12 upvotes, $0
215. Missing character limitation allows to put generate a database error to Nextcloud - 12 upvotes, $0
216. Desktop client can be tricked into opening/executing local files when clicking a nc://open/ link to Nextcloud - 12 upvotes, $0
217. Mail app stores cleartext password in database until OAUTH2 setup is done to Nextcloud - 12 upvotes, $0
218. Desktop client does not verify received singed certificate in end to end encryption to Nextcloud - 11 upvotes, $1000
219. Trusted servers exchange can be triggered by attacker to Nextcloud - 11 upvotes, $750
220. Default settings leak federated cloud id to lookup server of all users to Nextcloud - 11 upvotes, $350
221. Access to arbitrary file of the Nextcloud Android app from within the Nextcloud Android app to Nextcloud - 11 upvotes, $250
222. Add to your nextcloud endpoint is not properly protected to Nextcloud - 11 upvotes, $100
223. No Rate Limiting on stats.nextcloud.com login to Nextcloud - 11 upvotes, $0
224. Content spoofing in lookup.nextcloud.com to Nextcloud - 11 upvotes, $0
225. The session token in the URL to Nextcloud - 11 upvotes, $0
226. Stored XSS in OAuth redirect URI to Nextcloud - 11 upvotes, $0
227. In Dockerized Environments, Failing to Read config.php Grants Any Anonymous User Full Admin Access to Nextcloud - 11 upvotes, $0
228. User Editable nextcloud Wiki pages of Public Repositories to Nextcloud - 11 upvotes, $0
229. Update App Store: Django account high jacking vulnerability to Nextcloud - 11 upvotes, $0
230. WordPress vulnerable to multiple attacks at https://nextcloud.com to Nextcloud - 11 upvotes, $0
231. Self xss to Nextcloud - 11 upvotes, $0
232. XSS in image metadata field to Nextcloud - 11 upvotes, $0
233. Text does not respect 'Allow download' permissions to Nextcloud - 10 upvotes, $250
234. Secure view trivial to bypass to Nextcloud - 10 upvotes, $150
235. Server-Side request forgery in New-Subscription feature of the calendar app to Nextcloud - 10 upvotes, $100
236. index.php/apps/files_sharing/shareinfo endpoint is not properly protected to Nextcloud - 10 upvotes, $100
237. bypass forced password protection via circles app to Nextcloud - 10 upvotes, $100
238. Bruteforcing help.nextcloud.com to Nextcloud - 10 upvotes, $0
239. Uploading files to a folder where invited user don't have any EDIT privilege to Nextcloud - 10 upvotes, $0
240. Group admin can remove user from all his groups via API to Nextcloud - 10 upvotes, $0
241. Reflected XSS in U2F plugin by shipping the example endpoints to Nextcloud - 10 upvotes, $0
242. Invalid request may lead content spoofing for phishing to Nextcloud - 10 upvotes, $0
243. bug reporting template encourages users to paste config file with passwords to Nextcloud - 10 upvotes, $0
244. The password recovery let users know whether an email address exists or not in the website to Nextcloud - 10 upvotes, $0
245. Clickjacking URLS to Nextcloud - 10 upvotes, $0
246. Admin audit is not properly logging unsetting of expiration date to Nextcloud - 10 upvotes, $0
247. RCE on 17 different Docker containers on your network to Nextcloud - 10 upvotes, $0
248. High memory usage for generating preview of broken image to Nextcloud - 10 upvotes, $0
249. Improper input-size validation on the user new session name can result in server-side DDoS. to Nextcloud - 10 upvotes, $0
250. Last video frame is still sent after video is disabled in a call to Nextcloud - 10 upvotes, $0
251. Mail app - blind SSRF via imapHost parameter to Nextcloud - 10 upvotes, $0
252. No password length restriction in reset password endpoint to Nextcloud - 10 upvotes, $0
253. End to end encryption folder locking is not properly protected to Nextcloud - 9 upvotes, $250
254. New AppPassword can be generated without password confirmation to Nextcloud - 9 upvotes, $250
255. [FG-VD-17-063] NextCloud Insufficient Attack Protection Vulnerability Notification to Nextcloud - 9 upvotes, $100
256. Generated passwords are not fully validated by HIBPValidator to Nextcloud - 9 upvotes, $100
257. help.nextcloud Email Address/Username enumeration to Nextcloud - 9 upvotes, $0
258. \OCA\DAV\CardDAV\ImageExportPlugin allows serving arbitrary data with user-defined or empty mimetype to Nextcloud - 9 upvotes, $0
259. Files Drop: WebDAV endpoint is leaking existence of resources to Nextcloud - 9 upvotes, $0
260. Bypass permissions to Nextcloud - 9 upvotes, $0
261. GIT Detected to Nextcloud - 9 upvotes, $0
262. Privilege escalation - Normal user can somehow make admin to delete shared folders to Nextcloud - 9 upvotes, $0
263. Wordpress Vulnerable to Potential Unauthorized Password Reset to Nextcloud - 9 upvotes, $0
264. twofactor_auth bypassable if provider fails to load to Nextcloud - 9 upvotes, $0
265. Some HTML Tags are Getting Executed in com.nextcloud.client to Nextcloud - 9 upvotes, $0
266. Allows any user to share their "Root" level folder by sharing "." to Nextcloud - 9 upvotes, $0
267. PHPUnit is included in groupfolders release package potentially causing RCE to Nextcloud - 9 upvotes, $0
268. Reduced purmations on encryption to Nextcloud - 9 upvotes, $0
269. Message Authentication Codes calculated by the Default Encryption Module allow an attacker to silently overwrite blocks in a file to Nextcloud - 9 upvotes, $0
270. User files is disclosed when someone called while the screen is locked to Nextcloud - 9 upvotes, $0
271. SQL injextion via vulnerable doctrine/dbal version to Nextcloud - 9 upvotes, $0
272. Nextcloud Deck : Possibility for anyone to add a stack with existing tasks on anyone's board to Nextcloud - 9 upvotes, $0
273. Federated share accepting/declining is not logged in audit log to Nextcloud - 9 upvotes, $0
274. [nextcloud/server] Moment.js vulnerable to Inefficient Regular Expression Complexity to Nextcloud - 9 upvotes, $0
275. nextcloudcmd incorrectly trusts bad TLS certificates to Nextcloud - 9 upvotes, $0
276. Mail app - blind SSRF via smtpHost parameter to Nextcloud - 9 upvotes, $0
277. Vulnerable moment-timezone version shipped to Nextcloud - 9 upvotes, $0
278. Hide download previews are accessible without a watermark to Nextcloud - 9 upvotes, $0
279. No rate limit while adding Additional emails feature to Nextcloud - 9 upvotes, $0
280. user can bypass password enforcement when federated sharing is enabled to Nextcloud - 8 upvotes, $250
281. com.nextcloud.client bypass the protection lock in andoid app v 3.18.1 latest version. to Nextcloud - 8 upvotes, $200
282. Download of file with arbitrary extension via injection into attachment header to Nextcloud - 8 upvotes, $125
283. Share recipient can modify a share's expiration date to Nextcloud - 8 upvotes, $100
284. Possibility to force an admin to install recommended applications to Nextcloud - 8 upvotes, $100
285. Moderator can enable cam/mic remotely if cam/mic-permission was disabled while user has activated cam/mic to Nextcloud - 8 upvotes, $100
286. User Information Disclosure via REST API to Nextcloud - 8 upvotes, $0
287. Update php-saml library to 2.10.5 to Nextcloud - 8 upvotes, $0
288. Missing Rate Limit for Current Password field in nextcloud.com to Nextcloud - 8 upvotes, $0
289. Github wikis are editable by anyone to Nextcloud - 8 upvotes, $0
290. Uploading large avatar images cause excessive CPU usage to Nextcloud - 8 upvotes, $0
291. Wordpress Users Disclosure to Nextcloud - 8 upvotes, $0
292. Directory listing is enabled that exposes non public data through multiple path to Nextcloud - 8 upvotes, $0
293. Delete All Data of Any User to Nextcloud - 8 upvotes, $0
294. Password of failed (2FA) login attempt is stored in log to Nextcloud - 8 upvotes, $0
295. Mail does not verify IMAP/SMTP host connected via TLS to Nextcloud - 8 upvotes, $0
296. Acting under any different user via DB-stored credentials to Nextcloud - 8 upvotes, $0
297. Nextcloud deck sharee search leaks searches to lookupserver by default to Nextcloud - 8 upvotes, $0
298. Webauthn tokens are not removed on user deletion to Nextcloud - 8 upvotes, $0
299. Control character filtering misses leading and trailing whitespace in file and folder names to Nextcloud - 8 upvotes, $0
300. Mail app - Blind SSRF via Sierve server fonctionnality and sieveHost parameter to Nextcloud - 8 upvotes, $0
301. Document content of files can be obtained through Collabora for files of other users to Nextcloud - 8 upvotes, $0
302. Potential directory traversal in OC\Files\Node\Folder::getFullPath to Nextcloud - 8 upvotes, $0
303. Read-only share recipient can restore old versions of file to Nextcloud - 7 upvotes, $300
304. Nextcloud mail does not respect download permissions in shares to Nextcloud - 7 upvotes, $250
305. Calendar and addressbook names disclosed (NC-SA-2017-012) to Nextcloud - 7 upvotes, $183
306. Open redirect on "Unsupported browser" warning to Nextcloud - 7 upvotes, $150
307. Android content provider exposes password-protected share password hashes to Nextcloud - 7 upvotes, $75
308. Content (Text) Injection at NextCloud Server 9.0.52 - via http://custom_nextcloud_url/remote.php/dav/files/ to Nextcloud - 7 upvotes, $0
309. IDOR - Disable sharing to Nextcloud - 7 upvotes, $0
310. Reflected XSS in Gallery App to Nextcloud - 7 upvotes, $0
311. Bad content-type in response header when getting document can lead to html injection to Nextcloud - 7 upvotes, $0
312. XSS on IOS app via HTML rendering to Nextcloud - 7 upvotes, $0
313. WordPress < 4.8.2 vulnerable to multiple attacks to Nextcloud - 7 upvotes, $0
314. Email Notification should be get while changing password on apps.nextcloud.com to Nextcloud - 7 upvotes, $0
315. File access control rules not enforced on image files to Nextcloud - 7 upvotes, $0
316. NextCloud is also Accepting OCTET-STREAM Type of Documents instead of jpg or Imge Files Only to Nextcloud - 7 upvotes, $0
317. Private/confidential setting of calendar events is ignored on activity stream to Nextcloud - 7 upvotes, $0
318. Click Jacking Nextcloud to Nextcloud - 7 upvotes, $0
319. (Authenticated) RCE by bypassing of the .htaccess blacklist to Nextcloud - 7 upvotes, $0
320. Improper protection of FileContentProvider to Nextcloud - 7 upvotes, $0
321. Disabled user can reset their password to Nextcloud - 7 upvotes, $0
322. Github wikis are editable by anyone https://github.com/nextcloud/bookmarks/wiki to Nextcloud - 7 upvotes, $0
323. The password of a mail share is not set if the password is given when the share is created (Nextcloud < 18) to Nextcloud - 7 upvotes, $0
324. Password policy changes not enforced for existing passwords to Nextcloud - 7 upvotes, $0
325. Unexpected federated shares added via public link to Nextcloud - 7 upvotes, $0
326. Serverinfo endpoints are not bruteforce protected nor are tokens properly generated to Nextcloud - 7 upvotes, $0
327. Talk - Leak of password-protected room name via already existent resource addition to Nextcloud - 6 upvotes, $150
328. Federated editing allows iframing possibly malicious remotes to Nextcloud - 6 upvotes, $100
329. Expired SSL certificate to Nextcloud - 6 upvotes, $0
330. Wordpress: Directory Traversal / Denial of Serivce to Nextcloud - 6 upvotes, $0
331. Directory listening enabled in: 88.198.160.130 to Nextcloud - 6 upvotes, $0
332. Password Reset Link issue to Nextcloud - 6 upvotes, $0
333. Wordpress Version Disclosure Bug On Nextcloud to Nextcloud - 6 upvotes, $0
334. Password reset link remains valid after email change to Nextcloud - 6 upvotes, $0
335. Share owner has no possibility to list all existing derived shares to Nextcloud - 6 upvotes, $0
336. Content spoofing due to the improper behavior of the 403 page to Nextcloud - 6 upvotes, $0
337. Stored XSS/HTML injection in autocomplete suggestions for sharing to Nextcloud - 6 upvotes, $0
338. Passcode Protection in Android Devices Can be Bypassed. to Nextcloud - 6 upvotes, $0
339. SQL exception in JSON format to Nextcloud - 6 upvotes, $0
340. Email Spoofing to Nextcloud - 6 upvotes, $0
341. SSRF on local storage of iOS mobile to Nextcloud - 6 upvotes, $0
342. Event privacy level does not work in Thunderbird to Nextcloud - 6 upvotes, $0
343. Missing SPF flags for customerupdates.nextcloud.com to Nextcloud - 6 upvotes, $0
344. DOMPurify 0.8.9 released to Nextcloud - 6 upvotes, $0
345. Leaked of Profile Image from URL changing to Nextcloud - 6 upvotes, $0
346. Formula Injection vulnerability in CSV export feature to Nextcloud - 6 upvotes, $0
347. HTML Injection on "polls" app - comments section (possibly XSS) to Nextcloud - 6 upvotes, $0
348. bypassing dashboard without account + Information disclosure trough websockets to Nextcloud - 6 upvotes, $0
349. Default Nextcloud server config and iOS Nextcloud client leak sharee searches to Nextcloud to Nextcloud - 6 upvotes, $0
350. Malicious apps can crash Nextcloud Android client by sending malformed intents to Nextcloud - 6 upvotes, $0
351. ApiService#fetch serves content as text/html and inline Content-Disposition to Nextcloud - 6 upvotes, $0
352. Text app leaks file path of shared files to Nextcloud - 6 upvotes, $0
353. A vulnerability classified as critical has been found in gsi-openssh-server 7.9p1 on Fedora (Connectivity Software) on server (http://95.217.64.181:22 to Nextcloud - 6 upvotes, $0
354. Limitation of app specific password scope can be bypassed (NC-SA-2017-009) to Nextcloud - 5 upvotes, $300
355. More content spoofing through dir param in the files app to Nextcloud - 5 upvotes, $50
356. Shared file link - password protection bypass under certain conditions to Nextcloud - 5 upvotes, $50
357. nextcloud.com: Content Injection Custom 404 Error to Nextcloud - 5 upvotes, $0
358. Vulnerable Javascript library to Nextcloud - 5 upvotes, $0
359. Email ID Disclosure. to Nextcloud - 5 upvotes, $0
360. Information Disclosure of .htaccess file in Private Server/Subdomain to Nextcloud - 5 upvotes, $0
361. URI scheme bypass in mail app lead to HTML content spoof and opener control to Nextcloud - 5 upvotes, $0
362. HTTP-Basic Authentication on logs.nextcloud.com to Nextcloud - 5 upvotes, $0
363. Missing SPF Flags on nextcloud.com to Nextcloud - 5 upvotes, $0
364. Drone Nextcloud to Nextcloud - 5 upvotes, $0
365. Version 4.7.2 of wordpress is vulnerable to Nextcloud - 5 upvotes, $0
366. Content Spoofing/Text Injection in nextcloud.com to Nextcloud - 5 upvotes, $0
367. Content spoofing due to the improper behavior of the 403 page to Nextcloud - 5 upvotes, $0
368. Dav sharing permissions issue to Nextcloud - 5 upvotes, $0
369. Possible RCE to Nextcloud - 5 upvotes, $0
370. Banner Grabbing - Apache Server Version Disclousure to Nextcloud - 5 upvotes, $0
371. HTML injection with AutoComplete suggestions to Nextcloud - 5 upvotes, $0
372. Vulnerable W3 Total Cache plugin version in use on nextcloud.com to Nextcloud - 5 upvotes, $0
373. Missing DNSSEC to Nextcloud - 5 upvotes, $0
374. HTML injection and limited XSS via logo image upload - Nextcloud 12.0.0 to Nextcloud - 5 upvotes, $0
375. potential RCE and XSS via file upload requiring user account and default settings to Nextcloud - 5 upvotes, $0
376. Recently change email but still login with old email to Nextcloud - 5 upvotes, $0
377. Downgrade encryption scheme and break integrity through known-plaintext attack to Nextcloud - 5 upvotes, $0
378. Potential DDoS when posting long data into workflow validation rules to Nextcloud - 5 upvotes, $0
379. Talk discloses turn server to anybody to Nextcloud - 5 upvotes, $0
380. Error in Deleting Deck cards attachment reveals the full path of the website to Nextcloud - 5 upvotes, $0
381. Ownership check missing when updating or deleting attachments to Nextcloud - 5 upvotes, $0
382. Calendar name length not validated before writing to database to Nextcloud - 5 upvotes, $0
383. Targeted phishing attacks in Login flow v2 to Nextcloud - 5 upvotes, $0
384. Insecure randomness for default password in file sharing when password policy app is disabled to Nextcloud - 5 upvotes, $0
385. the complete server installation path is visible in cloud/user endpoint to Nextcloud - 5 upvotes, $0
386. Ability to control the filename when uploading a logo or favicon on theming to Nextcloud - 5 upvotes, $0
387. Name collision of shared folders to Nextcloud - 5 upvotes, $0
388. Circle email-members have still access to a shared folder/file after they are removed from the circle to Nextcloud - 4 upvotes, $200
389. Content Spoofing in "files" app to Nextcloud - 4 upvotes, $50
390. nextcloud.com: Directory listening for 'wp-includes' forders to Nextcloud - 4 upvotes, $0
391. Enumeration of subscribed users and unauthenticated email unsubscriptions on https://newsletter.nextcloud.com/?p=unsubscribe to Nextcloud - 4 upvotes, $0
392. REG: Content provider information leakage to Nextcloud - 4 upvotes, $0
393. stats.nextcloud.com: Content Injection to Nextcloud - 4 upvotes, $0
394. nextcloud.com: Mail Bombing ( No Rate Limiting On Sending Emails On Contact us Page) to Nextcloud - 4 upvotes, $0
395. newsletter.nextcloud.com: Bypass firewall protection to Nextcloud - 4 upvotes, $0
396. help.nextcloud.com: Known DoS condition (null pointer deref) in Nginx running to Nextcloud - 4 upvotes, $0
397. Bookmarks: Delete all existing bookmarks of a user to Nextcloud - 4 upvotes, $0
398. Content spoofing due to the improper behavior of the 403 page in Private Server to Nextcloud - 4 upvotes, $0
399. [Thirdparty] Stored XSS in chat module - nextcloud server 9.0.51 installed in ubuntu 14.0.4 LTS to Nextcloud - 4 upvotes, $0
400. Stored XSS on new Calling plugin (spreed) to Nextcloud - 4 upvotes, $0
401. Avatar image upload and bypass real image verification to Nextcloud - 4 upvotes, $0
402. Email Spoofing to Nextcloud - 4 upvotes, $0
403. Filename enumeration && DoS to Nextcloud - 4 upvotes, $0
404. Review remote code execution in SwiftMailer to Nextcloud - 4 upvotes, $0
405. Bypassing quota limit to Nextcloud - 4 upvotes, $0
406. SSRF at apps.nextcloud.com/developer/apps/releases/new to Nextcloud - 4 upvotes, $0
407. Nextcloud Server Remote Command Execution to Nextcloud - 4 upvotes, $0
408. Clickjacking In https://demo.nextcloud.com to Nextcloud - 4 upvotes, $0
409. Missing Rate Limiting protection leading to mass triggering of e-mails to Nextcloud - 4 upvotes, $0
410. Information Exposure Through Directory Listing to Nextcloud - 4 upvotes, $0
411. Banner Grabbing - Apache Server Version Disclosure to Nextcloud - 4 upvotes, $0
412. LDAP login possible even though account doesn't match user filter to Nextcloud - 4 upvotes, $0
413. Bypass configured 2FA provider with another provider that can be set up at login to Nextcloud - 4 upvotes, $0
414. Stored XSS on scan.nextcloud.com to Nextcloud - 4 upvotes, $0
415. Unauthenticated 'display name' information leak on enumeration of login names to Nextcloud - 4 upvotes, $0
416. Full path disclosure vulnerability via Upload .htaccess file to Nextcloud - 4 upvotes, $0
417. Anonymous file drop page ignores user profile visibility restrictions to Nextcloud - 4 upvotes, $0
418. RTLO character allowed in shared files to Nextcloud - 4 upvotes, $0
419. PIN for passwordless WebAuthn is asked for but not verified to Nextcloud - 4 upvotes, $0
420. Improper access control to messages of Social app to Nextcloud - 4 upvotes, $0
421. Social App does not validate server certificates for outgoing connections to Nextcloud - 4 upvotes, $0
422. [nextcloud.com] Control character allowed in Submit Question to Nextcloud - 4 upvotes, $0
423. nextcloud-snap CircleCI project has vulnerable configuration which can lead to exposing secrets to Nextcloud - 4 upvotes, $0
424. Create alias does not validate account id to Nextcloud - 4 upvotes, $0
425. DoS due to improper input validation can break the admin access into the user data will disallow him from editing that user's data. to Nextcloud - 4 upvotes, $0
426. No admin audit entry for enabling/disabling 2FA to Nextcloud - 4 upvotes, $0
427. Ratelimits do not apply to OCS DataResponse to Nextcloud - 4 upvotes, $0
428. objectId in share location can be set to open arbitrary URL or Deeplinks to Nextcloud - 4 upvotes, $0
429. @nextcloud/logger NPM package brings vulnerable ansi-regex version to Nextcloud - 4 upvotes, $0
430. Brute force protections don't work to Nextcloud - 4 upvotes, $0
431. XSS in Desktop Client via user status and information to Nextcloud - 4 upvotes, $0
432. XSS in Desktop Client in call notification popup to Nextcloud - 4 upvotes, $0
433. Exception logging in Sharepoint app reveals clear-text connection details to Nextcloud - 4 upvotes, $0
434. Website PHP source code returned in javascript to Nextcloud - 4 upvotes, $0
435. Reference fetch can saturate the server bandwidth for 10 seconds to Nextcloud - 4 upvotes, $0
436. user_oidc app is missing bruteforce protection to Nextcloud - 4 upvotes, $0
437. Reflected Self-XSS Vulnerability in the Comment section of Files Information to Nextcloud - 3 upvotes, $100
438. https://newsletter.nextcloud.com Directory listening and Information Disclosure to Nextcloud - 3 upvotes, $0
439. No captcha on newsletter.nextcloudcom leaves vulnerable to email spammers to Nextcloud - 3 upvotes, $0
440. Content Spoofing/Text Injection - docs.nextcloud.org to Nextcloud - 3 upvotes, $0
441. Business/Functional logic bypass: Remove admins from admin group. to Nextcloud - 3 upvotes, $0
442. Content injection in subdomain to Nextcloud - 3 upvotes, $0
443. Bruteforce attack is possible on newsletter.nextcloud.com to Nextcloud - 3 upvotes, $0
444. No rate limiting on password protected shared file link to Nextcloud - 3 upvotes, $0
445. WordPress Vulnerabilities: User Enumeration, Vulnerable Akismet Plugin, XML-RPC Interface available to Nextcloud - 3 upvotes, $0
446. xss for admin of https://newsletter.nextcloud.com to Nextcloud - 3 upvotes, $0
447. Information disclosure to Nextcloud - 3 upvotes, $0
448. failure to invalidate session on password change to Nextcloud - 3 upvotes, $0
449. ci.nextcloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service) to Nextcloud - 3 upvotes, $0
450. Retrieval and alteration of exposed media on Android Oreo to Nextcloud - 3 upvotes, $0
451. W3 Total Cache plugin multiple vulnerabilities to Nextcloud - 3 upvotes, $0
452. SignUp using Fake Email to Nextcloud - 3 upvotes, $0
453. Veracode and security audit record are publicly available to Nextcloud - 3 upvotes, $0
454. XSS On Nextcloud Integrated with zimbra drive to Nextcloud - 3 upvotes, $0
455. Persistent XSS on favorite via filename to Nextcloud - 3 upvotes, $0
456. Github repo's wiki publicly editable to Nextcloud - 3 upvotes, $0
457. Missing X-Content-Type-Options to Nextcloud - 3 upvotes, $0
458. **minor issue ** -Nextcloud 10.0 session issue with desktop client and android client to Nextcloud - 3 upvotes, $0
459. Contacts menu (not app) fails to restrict (to local groups) for contacts from federated servers to Nextcloud - 3 upvotes, $0
460. Improper confidentiality protection of server-side encryption keys to Nextcloud - 3 upvotes, $0
461. Bypassing Passcode/Device credentials to Nextcloud - 3 upvotes, $0
462. External storage app saves password for all users in the database to Nextcloud - 3 upvotes, $0
463. No set limit to try to login in "https://auth.nextcloud.com/auth/realms/master/protocol/openid-connect/auth" page. to Nextcloud - 3 upvotes, $0
464. Nextcloud update checks leaks information to Nextcloud - 3 upvotes, $0
465. Default Nextcloud allows http federated shares to Nextcloud - 3 upvotes, $0
466. No admin audit log for auth tokens to Nextcloud - 3 upvotes, $0
467. Ransomware protection is missing extentions to Nextcloud - 3 upvotes, $0
468. Federated shares are not password protected to Nextcloud - 3 upvotes, $0
469. Contacts only sanitizes PHOTO svg if mime type is all lower case to Nextcloud - 3 upvotes, $0
470. Nextcloud server software: Content Spoofing to Nextcloud - 2 upvotes, $50
471. help.nextcloud.com: Session Management Issue to Nextcloud - 2 upvotes, $0
472. Directory Listing On download.nextcloud.com & Practical Attacks on PGP (Pretty Good Privacy) to Nextcloud - 2 upvotes, $0
473. Lost Password CSRF to Nextcloud - 2 upvotes, $0
474. Content Spoofing to Nextcloud - 2 upvotes, $0
475. Content Injection 404 page to Nextcloud - 2 upvotes, $0
476. Content Injection in subdomain to Nextcloud - 2 upvotes, $0
477. No permission set on Activities [Android App] to Nextcloud - 2 upvotes, $0
478. Deny access to download.nextcloud.com + folders to Nextcloud - 2 upvotes, $0
479. The application uses basic authentication. to Nextcloud - 2 upvotes, $0
480. Content Injection - apps.nextcloud.com to Nextcloud - 2 upvotes, $0
481. Content spoofing in cloud.nextcloud.com to Nextcloud - 2 upvotes, $0
482. Reflected Self-XSS Vulnerability in the Comment section of Files (Different-payloads) to Nextcloud - 2 upvotes, $0
483. demo.nextcloud.com: Content spoofing due to default Apache Error Page to Nextcloud - 2 upvotes, $0
484. Arbitrary File Upload in Logo & Log in image Theming setting. to Nextcloud - 2 upvotes, $0
485. BruteForce in to Admin Account to Nextcloud - 2 upvotes, $0
486. Login Hints on Admin Panel to Nextcloud - 2 upvotes, $0
487. Nextcloud.com is vulnerable to SWEET32 attack to Nextcloud - 2 upvotes, $0
488. Server version/OS type disclosure via HTTP Response Header to Nextcloud - 2 upvotes, $0
489. CSRF token validation is missing to Nextcloud - 2 upvotes, $0
490. The email API to reset password is unlimited and can be used as a email bomb to Nextcloud - 2 upvotes, $0
491. The email API to test email-server settings is unlimited and can be used as a email bomb to Nextcloud - 2 upvotes, $0
492. information disclose to Nextcloud - 2 upvotes, $0
493. Content (Text) Injection at https://nextcloud.com to Nextcloud - 2 upvotes, $0
494. Possible SSRF in email server settings(SMTP mode) to Nextcloud - 2 upvotes, $0
495. Share tokens for public calendars disclosed (NC-SA-2017-011) to Nextcloud - 2 upvotes, $0
496. Stored XSS in Gallery application (NC-SA-2017-010) to Nextcloud - 2 upvotes, $0
497. Disclosed Version of PORTS SSH|HTTP|SSL to Nextcloud - 2 upvotes, $0
498. Accessing to download.nextcloud.com from original ip adreess | insecure Download to Nextcloud - 2 upvotes, $0
499. WordPress Plugin Insert or Embed Articulate Content into WordPress Remote Code Execution (UNAUTHORIZED) to Nextcloud - 2 upvotes, $0
500. Bruteforce in admin panel to Nextcloud - 2 upvotes, $0
501. Nextcloud logs ldap passwords to Nextcloud - 2 upvotes, $0
502. Password authentication at newsletter.nextcloud.com discloses username list to Nextcloud - 2 upvotes, $0
503. Missing memory corruption protection on Windows release built to Nextcloud - 2 upvotes, $0
504. The password of a mail share is not hashed if the password is given when the share is created to Nextcloud - 2 upvotes, $0
505. Improper integrity protection of server-side encryption keys to Nextcloud - 2 upvotes, $0
506. Content spoofing on https://surveyserver.nextcloud.com to Nextcloud - 2 upvotes, $0
507. DoS attack against the client when entering a long password to Nextcloud - 2 upvotes, $0
508. External Storage - WebDAV - New user has access to storage from deleted user (same user-ID) to Nextcloud - 2 upvotes, $0
509. Trusted server shared secret stored unencrypted in the database to Nextcloud - 2 upvotes, $0
510. Information Exposure Through Directory Listing vulnerability to Nextcloud - 2 upvotes, $0
511. Content Injection - demo.nextcloud.com to Nextcloud - 1 upvotes, $0
512. demo.nextcloud.com: Content spoofing due to default Apache Error Page to Nextcloud - 1 upvotes, $0
513. Slow Http attack on nextcloud(DOS) to Nextcloud - 1 upvotes, $0
514. xss on demo.nextcloud.com due to outdated version to Nextcloud - 1 upvotes, $0
515. [Nextcloud 9.0.53] Content Spoofing in 'trustDomain' parameter to Nextcloud - 1 upvotes, $0
516. Cross Site Scripting to Nextcloud - 1 upvotes, $0
517. Directory Listing In Subdomain Of nextcloud.com to Nextcloud - 1 upvotes, $0
518. Information Exposure Through Directory Listing - https://apps.nextcloud.com/static/ to Nextcloud - 1 upvotes, $0
519. Clickjacking on https://download.nextcloud.com/ to Nextcloud - 1 upvotes, $0
520. Clickjacking on https://download.nextcloud.com to Nextcloud - 1 upvotes, $0
521. Nextcloud Clickjacking Vulnerability to Nextcloud - 1 upvotes, $0
522. Broken link for wrong domain entry may be leveraged for Phishing, Misinformation, Serving Malware to Nextcloud - 1 upvotes, $0
523. WebDAV Empty Property search leads to full CPU usage to Nextcloud - 1 upvotes, $0
524. Denial of Service when entring an Array in email at seetings to Nextcloud - 1 upvotes, $0
525. xss on setup config page to Nextcloud - 1 upvotes, $0
526. New users can read all Nextcloud Deck data from previous user with same username to Nextcloud - 1 upvotes, $0
527. Leaking sensitive information through JSON file path. to Nextcloud - 1 upvotes, $0
528. Ubuntu 12.04 Privilege Escalation to Nextcloud - 0 upvotes, $0
529. Clickjacking on https://nextcloud.com/ to Nextcloud - 0 upvotes, $0
530. Username Enumeration to Nextcloud - 0 upvotes, $0
531. Bypass hide download Nextcloud Share to Nextcloud - 0 upvotes, $0