Nextcloud: Security Vulnerabilities
Improper Input Validation in Nextcloud Server 15.0.7 allows group admins to create users with IDs of system folders.
CVSS Score
4.9
EPSS Score
0.003
Published
2020-02-04
Improper authorization in the Circles app 0.17.7 causes retaining access when an email address was removed from a circle.
CVSS Score
4.3
EPSS Score
0.006
Published
2020-02-04
Violation of Secure Design Principles in the iOS App 2.23.0 causes the app to leak its login and token to other Nextcloud services when search e.g. for federated users or registering for push notifications.
CVSS Score
4.9
EPSS Score
0.006
Published
2020-02-04
A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset.
CVSS Score
5.9
EPSS Score
0.002
Published
2020-02-04
A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend their behaviour on the file extension when checking file mimetypes.
CVSS Score
8.0
EPSS Score
0.003
Published
2020-02-04
Missing sanitization in the iOS App 2.24.4 causes an XSS when opening malicious HTML files.
CVSS Score
5.4
EPSS Score
0.003
Published
2020-02-04
An SQL Injection in the Nextcloud Lookup-Server < v0.3.0 (running on https://lookup.nextcloud.com) caused unauthenticated users to be able to execute arbitrary SQL commands.
CVSS Score
9.8
EPSS Score
0.006
Published
2019-08-07
A missing check in the Nextcloud Server prior to version 15.0.1 causes leaking of calendar event names when adding or modifying confidential or private events.
CVSS Score
4.3
EPSS Score
0.003
Published
2019-07-30
Improper sanitization of HTML in directory names in the Nextcloud Android app prior to version 3.7.0 allowed to style the directory name in the header bar when using basic HTML.
CVSS Score
6.8
EPSS Score
0.001
Published
2019-07-30
Bypass lock protection in the Nextcloud Android app prior to version 3.6.1 allows accessing the files when repeatedly opening and closing the app in a very short time.
CVSS Score
4.6
EPSS Score
0.001
Published
2019-07-30