Nextcloud: Security Vulnerabilities
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.15.1, a malicious application on the same device is possible to crash the Nextcloud Android Client due to an uncaught exception. The vulnerability is patched in version 3.15.1.
CVSS Score
4.1
EPSS Score
0.002
Published
2021-06-17
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.16.1, a malicious app on the same device could have gotten access to the shared preferences of the Nextcloud Android application. This required user-interaction as a victim had to initiate the sharing flow and choose the malicious app. The shared preferences contain some limited private data such as push tokens and the account name. The vulnerability is patched in version 3.16.1.
CVSS Score
3.9
EPSS Score
0.006
Published
2021-06-17
Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected shared chats in Talk before version 9.0.10, 10.0.8 and 11.2.2 did not rotate the session cookie after a successful authentication event. It is recommended that the Nextcloud Talk App is upgraded to 9.0.10, 10.0.8 or 11.2.2. No workarounds for this vulnerability are known to exist.
CVSS Score
6.5
EPSS Score
0.003
Published
2021-06-16
Nextcloud Android App (com.nextcloud.client) before v3.16.0 is vulnerable to information disclosure due to searches for sharees being performed by default on the lookup server instead of only using the local Nextcloud server unless a global search has been explicitly chosen by the user.
CVSS Score
6.5
EPSS Score
0.004
Published
2021-06-11
Nextcloud End-to-End Encryption before 1.5.3, 1.6.3 and 1.7.1 suffers from a denial of service vulnerability due to permitting any authenticated users to lock files of other users.
CVSS Score
6.5
EPSS Score
0.001
Published
2021-06-11
Nextcloud iOS before 3.4.2 suffers from an information disclosure vulnerability when searches for sharees utilize the lookup server by default instead of only on the local Nextcloud server unless a global search has been explicitly chosen by the user.
CVSS Score
6.5
EPSS Score
0.007
Published
2021-06-11
Nextcloud Deck before 1.2.7, 1.4.1 suffers from an information disclosure vulnerability when searches for sharees utilize the lookup server by default instead of only the local Nextcloud server unless a global search has been explicitly chosen by the user.
CVSS Score
6.5
EPSS Score
0.007
Published
2021-06-11
Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such as the Nextcloud brute-force protection.
CVSS Score
9.8
EPSS Score
0.005
Published
2021-06-11
Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the "Register with a Provider" flow.
CVSS Score
5.9
EPSS Score
0.004
Published
2021-06-11
Nextcloud Mail before 1.9.5 suffers from improper access control due to a missing permission check allowing other authenticated users to create mail aliases for other users.
CVSS Score
4.3
EPSS Score
0.003
Published
2021-06-11