Nextcloud
nextcloud
365 CVEs • 38 products
Products (38)
Click to collapseToggle
Products (38)
Click to collapse
CVEs (365)
CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS |
|---|
Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permissions than they had themselves. |
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials. |
Missing sanitization of a server response in Nextcloud Desktop Client 2.6.4 for Linux allowed a malicious Nextcloud Server to store files outside of the dedicated sync directory. |
A cross-site scripting error in Nextcloud Desktop client 2.6.4 allowed to present any html (including local links) when responding with invalid data on the login attempt. |
A memory corruption vulnerability exists in NextCloud Desktop Client v2.6.4 where missing ASLR and DEP protections in for windows allowed to corrupt memory. |
A memory leak in the OCUtil.dll library used by Nextcloud Desktop Client 2.6.4 can lead to a DoS against the host system. |
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL config into a fixed directory. |
1Nextcloud 1Preferred Providers Nov 21, 2024 Jul 30, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Improper check of inputs in Nextcloud Preferred Providers app v1.6.0 allowed to perform a denial of service attack when using a very long password. |
A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars. |
Improper access control in Nextcloud Deck 1.0.0 allowed an attacker to inject tasks into other users decks. |
A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk command was added by an administrator. |
2Fedoraproject Nextcloud2Fedora MailNov 21, 2024 May 12, 2020 N/A· v4 7.0 HIGH· v3 6.8 MEDIUM· v2 A missing verification of the TLS host in Nextcloud Mail 1.1.3 allowed a man in the middle attack. |
An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF. |
An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint. |
2Fedoraproject Nextcloud2Fedora Group FoldersNov 21, 2024 May 12, 2020 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 Improper access control in Groupfolders app 4.0.3 allowed to delete hidden directories when when renaming an accessible item to the same name. |
A code injection in Nextcloud Desktop Client 2.6.2 for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the environment. |
2Fedoraproject Nextcloud2Fedora Nextcloud ServerNov 21, 2024 Mar 20, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 A missing access control check in Nextcloud Server < 18.0.1, < 17.0.4, and < 16.0.9 causes hide-download shares to be downloadable when appending /download to the URL. |
A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar URL. |
A missing check in Nextcloud Server 14.0.3 could give recipient the possibility to extend the expiration date of a share they received. |
A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. |