diff options
| author | Morris Jobke <hey@morrisjobke.de> | 2018-10-30 14:08:04 +0300 |
|---|---|---|
| committer | Morris Jobke <hey@morrisjobke.de> | 2018-10-30 14:08:04 +0300 |
| commit | 1915c70314fd6826df261e10b0052d0a353b2e02 (patch) | |
| tree | ac68adb3b878b8f0b5ff2091bec24b8a394edb29 /advisories | |
| parent | a82863068630ad639587b6ce6c1ee0c9fb5bc604 (diff) | |
Show resolution and remove unneeded duplicate paragraph
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
Diffstat (limited to 'advisories')
38 files changed, 185 insertions, 197 deletions
diff --git a/advisories/advisories.rss b/advisories/advisories.rss index 06e037f3..67c8d56a 100644 --- a/advisories/advisories.rss +++ b/advisories/advisories.rss @@ -6,223 +6,223 @@ <description>The Nextcloud security advisories as a RSS feed</description> <ttl>1800</ttl><item> <title>Server: Improper access control checks for single share previews (NC-SA-2018-014)</title> - <description><p>A missing check could give unauthorized access to the previews of single file password protected shares.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-014">For more information please consult the official advisory.</a></strong></p></description> + <description>A missing check could give unauthorized access to the previews of single file password protected shares.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-014">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2018-014</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2018-014</guid> <pubDate>Thu, 25 Oct 2018 14:00:00 +0200</pubDate> </item><item> <title>Server: Session fixation on public share page (NC-SA-2018-013)</title> - <description><p>A bug causing session fixation could potentially allow an attacker to obtain access to password protected shares.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-013">For more information please consult the official advisory.</a></strong></p></description> + <description>A bug causing session fixation could potentially allow an attacker to obtain access to password protected shares.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-013">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2018-013</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2018-013</guid> <pubDate>Thu, 25 Oct 2018 14:00:00 +0200</pubDate> </item><item> <title>Server: Improper authentication on public shares (NC-SA-2018-012)</title> - <description><p>A missing access check could lead to continued access to password protected link shares when the owner had changed the password.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-012">For more information please consult the official advisory.</a></strong></p></description> + <description>A missing access check could lead to continued access to password protected link shares when the owner had changed the password.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-012">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2018-012</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2018-012</guid> <pubDate>Thu, 25 Oct 2018 14:00:00 +0200</pubDate> </item><item> <title>Server: Second factor authentication bypassed if provider fails to load (NC-SA-2018-011)</title> - <description><p>Missing state would not enforce the use of a second factor at login if the the provider of the second factor failed to load.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-011">For more information please consult the official advisory.</a></strong></p></description> + <description>Missing state would not enforce the use of a second factor at login if the the provider of the second factor failed to load.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-011">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2018-011</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2018-011</guid> <pubDate>Thu, 25 Oct 2018 14:00:00 +0200</pubDate> </item><item> <title>Server: Improper validation of permissions (NC-SA-2018-010)</title> - <description><p>Improper revalidation of permissions lead to not accepting access restrictions by acess tokens.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-010">For more information please consult the official advisory.</a></strong></p></description> + <description>Improper revalidation of permissions lead to not accepting access restrictions by acess tokens.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-010">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2018-010</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2018-010</guid> <pubDate>Thu, 25 Oct 2018 14:00:00 +0200</pubDate> </item><item> <title>Talk App: Stored XSS in autocomplete suggestions for chat @-mentions (NC-SA-2018-009)</title> - <description><p>A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-009">For more information please consult the official advisory.</a></strong></p></description> + <description>A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-009">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2018-009</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2018-009</guid> <pubDate>Fri, 10 Aug 2018 14:00:00 +0200</pubDate> </item><item> <title>Server: Stored XSS in autocomplete suggestions for file comments (NC-SA-2018-008)</title> - <description><p>A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-008">For more information please consult the official advisory.</a></strong></p></description> + <description>A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-008">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2018-008</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2018-008</guid> <pubDate>Fri, 10 Aug 2018 14:00:00 +0200</pubDate> </item><item> <title>Server: Bypass of 2 Factor Authentication (NC-SA-2018-007)</title> - <description><p>Improper authentication of the second factor challenge would allow an attacker that had access to user credentials to bypass the second factor validation completely.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-007">For more information please consult the official advisory.</a></strong></p></description> + <description>Improper authentication of the second factor challenge would allow an attacker that had access to user credentials to bypass the second factor validation completely.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-007">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2018-007</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2018-007</guid> <pubDate>Fri, 03 Aug 2018 14:00:00 +0200</pubDate> </item><item> <title>Server: Improper validation of data passed to JSON encoder (NC-SA-2018-006)</title> - <description><p>Improper validation of input allowed an attacker to not have their actions logged to the audit log.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-006">For more information please consult the official advisory.</a></strong></p></description> + <description>Improper validation of input allowed an attacker to not have their actions logged to the audit log.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-006">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2018-006</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2018-006</guid> <pubDate>Fri, 03 Aug 2018 14:00:00 +0200</pubDate> </item><item> <title>Contacts App: Stored XSS in contacts via group shares (NC-SA-2018-005)</title> - <description><p>A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-005">For more information please consult the official advisory.</a></strong></p></description> + <description>A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-005">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2018-005</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2018-005</guid> <pubDate>Thu, 21 Jun 2018 14:00:00 +0200</pubDate> </item><item> <title>Calendar App: Stored XSS in calendar via group shares (NC-SA-2018-004)</title> - <description><p>A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-004">For more information please consult the official advisory.</a></strong></p></description> + <description>A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-004">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2018-004</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2018-004</guid> <pubDate>Thu, 21 Jun 2018 14:00:00 +0200</pubDate> </item><item> <title>Server: Improper validation on OAuth2 token endpoint (NC-SA-2018-003)</title> - <description><p>Improper validation of input allowed an attacker with access to the OAuth2 refresh token to obtain new tokens.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-003">For more information please consult the official advisory.</a></strong></p></description> + <description>Improper validation of input allowed an attacker with access to the OAuth2 refresh token to obtain new tokens.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-003">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2018-003</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2018-003</guid> <pubDate>Thu, 21 Jun 2018 14:00:00 +0200</pubDate> </item><item> <title>Server: File access control rules not applied to image previews (NC-SA-2018-002)</title> - <description><p>A missing check for read permissions allowed users that received an incomming share containing files tagged so they should be denied access to still request a preview for those files.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-002">For more information please consult the official advisory.</a></strong></p></description> + <description>A missing check for read permissions allowed users that received an incomming share containing files tagged so they should be denied access to still request a preview for those files.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-002">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2018-002</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2018-002</guid> <pubDate>Thu, 21 Jun 2018 14:00:00 +0200</pubDate> </item><item> <title>Server: App password scope can be changed for other users (NC-SA-2018-001)</title> - <description><p>A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-001">For more information please consult the official advisory.</a></strong></p></description> + <description>A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-001">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2018-001</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2018-001</guid> <pubDate>Wed, 07 Feb 2018 01:00:00 +0100</pubDate> </item><item> <title>Server: Calendar and addressbook names disclosed (NC-SA-2017-012)</title> - <description><p>A logical error caused disclosure of calendar and addressbook names to other logged-in users. Note that no actual content of the calendar and adressbook has been disclosed.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-012">For more information please consult the official advisory.</a></strong></p></description> + <description>A logical error caused disclosure of calendar and addressbook names to other logged-in users. Note that no actual content of the calendar and adressbook has been disclosed.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-012">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2017-012</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2017-012</guid> <pubDate>Mon, 08 May 2017 14:00:00 +0200</pubDate> </item><item> <title>Server: Share tokens for public calendars disclosed (NC-SA-2017-011)</title> - <description><p>A logical error caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-011">For more information please consult the official advisory.</a></strong></p></description> + <description>A logical error caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-011">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2017-011</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2017-011</guid> <pubDate>Mon, 08 May 2017 14:00:00 +0200</pubDate> </item><item> <title>Server: Stored XSS in Gallery application (NC-SA-2017-010)</title> - <description><p>A JavaScript library used by Nextcloud for sanitizing untrusted user-input suffered from a XSS vulnerability caused by a behaviour change in Safari 10.1 and 10.2.</p><p>Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-010">For more information please consult the official advisory.</a></strong></p></description> + <description>A JavaScript library used by Nextcloud for sanitizing untrusted user-input suffered from a XSS vulnerability caused by a behaviour change in Safari 10.1 and 10.2.Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-010">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2017-010</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2017-010</guid> <pubDate>Mon, 08 May 2017 14:00:00 +0200</pubDate> </item><item> <title>Server: Limitation of app specific password scope can be bypassed (NC-SA-2017-009)</title> - <description><p>Improper session handling allowed an application specific password without permission to the files access to the users file.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-009">For more information please consult the official advisory.</a></strong></p></description> + <description>Improper session handling allowed an application specific password without permission to the files access to the users file.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-009">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2017-009</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2017-009</guid> <pubDate>Mon, 08 May 2017 14:00:00 +0200</pubDate> </item><item> <title>Server: Reflected XSS in error pages (NC-SA-2017-008)</title> - <description><p>Inadequate escaping of error messages leads to XSS vulnerabilities in multiple components.</p><p>Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-008">For more information please consult the official advisory.</a></strong></p></description> + <description>Inadequate escaping of error messages leads to XSS vulnerabilities in multiple components.Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-008">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2017-008</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2017-008</guid> <pubDate>Mon, 08 May 2017 14:00:00 +0200</pubDate> </item><item> <title>Server: DOM XSS vulnerability in search dialogue (NC-SA-2017-007)</title> - <description><p>Inadequate escaping lead to XSS vulnerability in the search module. To be exploitable an user has to write or paste malicious content into the search dialogue.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-007">For more information please consult the official advisory.</a></strong></p></description> + <description>Inadequate escaping lead to XSS vulnerability in the search module. To be exploitable an user has to write or paste malicious content into the search dialogue.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-007">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2017-007</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2017-007</guid> <pubDate>Mon, 08 May 2017 14:00:00 +0200</pubDate> </item><item> <title>Server: Content-Spoofing in "files" app (NC-SA-2017-006)</title> - <description><p>The top navigation bar displayed in the files list contained partially user-controllable input leading to a potential misrepresentation of information.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-006">For more information please consult the official advisory.</a></strong></p></description> + <description>The top navigation bar displayed in the files list contained partially user-controllable input leading to a potential misrepresentation of information.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-006">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2017-006</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2017-006</guid> <pubDate>Sun, 05 Feb 2017 11:36:08 +0100</pubDate> </item><item> <title>Server: Bypassing quota limitation (NC-SA-2017-005)</title> - <description><p>Due to not properly sanitzing values provided by the `OC-Total-Length` HTTP header an authenticated adversary may be able to exceed their configured user quota. Thus using more space than allowed by the administrator.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-005">For more information please consult the official advisory.</a></strong></p></description> + <description>Due to not properly sanitzing values provided by the `OC-Total-Length` HTTP header an authenticated adversary may be able to exceed their configured user quota. Thus using more space than allowed by the administrator.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-005">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2017-005</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2017-005</guid> <pubDate>Sun, 05 Feb 2017 11:36:08 +0100</pubDate> </item><item> <title>Server: Denial of Service attack (NC-SA-2017-004)</title> - <description><p>Due to an error in the application logic an authenticated adversary may trigger an endless recursion in the application leading to a potential Denial of Service.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-004">For more information please consult the official advisory.</a></strong></p></description> + <description>Due to an error in the application logic an authenticated adversary may trigger an endless recursion in the application leading to a potential Denial of Service.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-004">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2017-004</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2017-004</guid> <pubDate>Sun, 05 Feb 2017 11:36:08 +0100</pubDate> </item><item> <title>Server: Error message discloses existence of file in write-only share (NC-SA-2017-003)</title> - <description><p>Due to an error in the application logic an adversary with access to a write-only share may enumerate the names of existing files and subfolders by comparing the exception messages.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-003">For more information please consult the official advisory.</a></strong></p></description> + <description>Due to an error in the application logic an adversary with access to a write-only share may enumerate the names of existing files and subfolders by comparing the exception messages.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-003">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2017-003</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2017-003</guid> <pubDate>Sun, 05 Feb 2017 11:36:08 +0100</pubDate> </item><item> <title>Server: Creation of folders in read-only folders despite lacking permissions (NC-SA-2017-002)</title> - <description><p>Due to a logical error in the file caching layer an authenticated adversary is able to create empty folders inside a shared folder.</p><p>Note that this only affects folders and files that the adversary has at least read-only permissions for.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-002">For more information please consult the official advisory.</a></strong></p></description> + <description>Due to a logical error in the file caching layer an authenticated adversary is able to create empty folders inside a shared folder.Note that this only affects folders and files that the adversary has at least read-only permissions for.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-002">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2017-002</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2017-002</guid> <pubDate>Sun, 05 Feb 2017 11:36:08 +0100</pubDate> </item><item> <title>Server: Permission increase on re-sharing via OCS API (NC-SA-2017-001)</title> - <description><p>A permission related issue within the OCS sharing API allowed an authenticated adversary to reshare shared files with an increasing permission set. This may allow an attacker to edit files in a share despite having only a 'read' permission set.</p><p>Note that this only affects folders and files that the adversary has at least read-only permissions for.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-001">For more information please consult the official advisory.</a></strong></p></description> + <description>A permission related issue within the OCS sharing API allowed an authenticated adversary to reshare shared files with an increasing permission set. This may allow an attacker to edit files in a share despite having only a 'read' permission set.Note that this only affects folders and files that the adversary has at least read-only permissions for.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-001">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2017-001</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2017-001</guid> <pubDate>Sun, 05 Feb 2017 11:36:08 +0100</pubDate> </item><item> <title>Server: Content-Spoofing in "dav" app (NC-SA-2016-011)</title> - <description><p>The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-011">For more information please consult the official advisory.</a></strong></p></description> + <description>The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-011">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2016-011</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2016-011</guid> <pubDate>Mon, 10 Oct 2016 13:21:06 +0200</pubDate> </item><item> <title>Server: Content-Spoofing in "files" app (NC-SA-2016-010)</title> - <description><p>The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-010">For more information please consult the official advisory.</a></strong></p></description> + <description>The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-010">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2016-010</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2016-010</guid> <pubDate>Mon, 10 Oct 2016 13:21:06 +0200</pubDate> </item><item> <title>Server: Reflected XSS in Gallery application (NC-SA-2016-009)</title> - <description><p>The gallery app was not properly sanitizing exception messages from the Nextcloud server. Due to an endpoint where an attacker could influence the error message this lead to a reflected Cross-Site-Scripting vulnerability.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-009">For more information please consult the official advisory.</a></strong></p></description> + <description>The gallery app was not properly sanitizing exception messages from the Nextcloud server. Due to an endpoint where an attacker could influence the error message this lead to a reflected Cross-Site-Scripting vulnerability.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-009">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2016-009</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2016-009</guid> <pubDate>Mon, 10 Oct 2016 13:21:06 +0200</pubDate> </item><item> <title>Server: Stored XSS in CardDAV image export (NC-SA-2016-008)</title> - <description><p>The CardDAV image export functionality as implemented in Nextcloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.</p><p><strong>Note:</strong> Nextcloud employs a very strict Content Security Policy on the DAV endpoints. This is thus only exploitable on browsers that don't support Content Security Policy.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-008">For more information please consult the official advisory.</a></strong></p></description> + <description>The CardDAV image export functionality as implemented in Nextcloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.<strong>Note:</strong> Nextcloud employs a very strict Content Security Policy on the DAV endpoints. This is thus only exploitable on browsers that don't support Content Security Policy.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-008">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2016-008</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2016-008</guid> <pubDate>Mon, 10 Oct 2016 13:21:06 +0200</pubDate> </item><item> <title>Server: Improper authorization check on removing shares (NC-SA-2016-007)</title> - <description><p>The Sharing Backend as implemented in Nextcloud does differentiate between shares to users and groups. In case of a received group share, users should be able to unshare the file to themselves but not to the whole group. The previous API implementation did simply unshare the file to all users in the group.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-007">For more information please consult the official advisory.</a></strong></p></description> + <description>The Sharing Backend as implemented in Nextcloud does differentiate between shares to users and groups. In case of a received group share, users should be able to unshare the file to themselves but not to the whole group. The previous API implementation did simply unshare the file to all users in the group.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-007">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2016-007</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2016-007</guid> <pubDate>Mon, 10 Oct 2016 13:21:06 +0200</pubDate> </item><item> <title>Server: SMB User Authentication Bypass (NC-SA-2016-006)</title> - <description><p>Nextcloud includes an optional and not by default enabled SMB authentication component that allows to authenticate users against an SMB server.</p><p>This backend is implemented in a way that it tries to connect to a SMB server and if that succeeded consider the user logged-in.</p><p>The backend did not properly take into account SMB servers that any kind of anonymous auth configured. This is the default on SMB servers nowadays and allows an unauthenticated attacker to gain access to an account without valid credentials.</p><p><strong>Note:</strong> The SMB backend is disabled by default and requires manual configuration in the Nextcloud config file. If you have not configured the SMB backend then you're not affected by this vulnerability.</p><p><em><a href="https://rhinosecuritylabs.com/2016/10/operation-ownedcloud-exploitation-post-exploitation-persistence/">The reporter has published a blog post about this issue on their website as well.</a></em></p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-006">For more information please consult the official advisory.</a></strong></p></description> + <description>Nextcloud includes an optional and not by default enabled SMB authentication component that allows to authenticate users against an SMB server.This backend is implemented in a way that it tries to connect to a SMB server and if that succeeded consider the user logged-in.The backend did not properly take into account SMB servers that any kind of anonymous auth configured. This is the default on SMB servers nowadays and allows an unauthenticated attacker to gain access to an account without valid credentials.<strong>Note:</strong> The SMB backend is disabled by default and requires manual configuration in the Nextcloud config file. If you have not configured the SMB backend then you're not affected by this vulnerability.<em><a href="https://rhinosecuritylabs.com/2016/10/operation-ownedcloud-exploitation-post-exploitation-persistence/">The reporter has published a blog post about this issue on their website as well.</a></em><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-006">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2016-006</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2016-006</guid> <pubDate>Mon, 10 Oct 2016 13:21:06 +0200</pubDate> </item><item> <title>Server: Read-only share recipient can restore old versions of file (NC-SA-2016-005)</title> - <description><p>The restore capability of Nextcloud was not verifying whether an user has only read-only access to a share. Thus an user with read-only access was able to restore old versions.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-005">For more information please consult the official advisory.</a></strong></p></description> + <description>The restore capability of Nextcloud was not verifying whether an user has only read-only access to a share. Thus an user with read-only access was able to restore old versions.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-005">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2016-005</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2016-005</guid> <pubDate>Tue, 19 Jul 2016 10:26:09 +0200</pubDate> </item><item> <title>Server: Edit permission check not enforced on WebDAV COPY action (NC-SA-2016-004)</title> - <description><p>The WebDAV endpoint was not properly checking the permission on a WebDAV "COPY" action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-004">For more information please consult the official advisory.</a></strong></p></description> + <description>The WebDAV endpoint was not properly checking the permission on a WebDAV "COPY" action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-004">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2016-004</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2016-004</guid> <pubDate>Tue, 19 Jul 2016 10:26:09 +0200</pubDate> </item><item> <title>Server: Content-Spoofing in "files" app (NC-SA-2016-003)</title> - <description><p>The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-003">For more information please consult the official advisory.</a></strong></p></description> + <description>The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-003">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2016-003</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2016-003</guid> <pubDate>Tue, 19 Jul 2016 10:26:09 +0200</pubDate> </item><item> <title>Server: Log pollution can potentially lead to local HTML injection (NC-SA-2016-002)</title> - <description><p>The "download log" functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the browser as HTML document. Thus any injected data in the log would be executed.</p><p>While the document would only be executed locally (thus on another scope) we have decided to fix this to protect our users.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-002">For more information please consult the official advisory.</a></strong></p></description> + <description>The "download log" functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the browser as HTML document. Thus any injected data in the log would be executed.While the document would only be executed locally (thus on another scope) we have decided to fix this to protect our users.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-002">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2016-002</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2016-002</guid> <pubDate>Tue, 19 Jul 2016 10:26:09 +0200</pubDate> </item><item> <title>Server: Stored XSS in "gallery" application (NC-SA-2016-001)</title> - <description><p>Due to a recent migration of the Gallery app to the new sharing endpoint a parameter changed from an integer to a string value. This value wasn't sanitized before and was thus now vulnerable to a Cross-Site-Scripting attack.</p><p>To exploit this vulnerability an authenticated attacker has to share a folder with someone else, get them to open the shared folder in the Gallery app and open the sharing window there.</p><p>Since Nextcloud employes a strict Content-Security-Policy this vulnerability is only exploitable in browsers not supporting Content-Security-Policy. You can check at <a href="http://caniuse.com/#feat=contentsecuritypolicy">caniuse.com</a> whether your browser supports CSP.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-001">For more information please consult the official advisory.</a></strong></p></description> + <description>Due to a recent migration of the Gallery app to the new sharing endpoint a parameter changed from an integer to a string value. This value wasn't sanitized before and was thus now vulnerable to a Cross-Site-Scripting attack.To exploit this vulnerability an authenticated attacker has to share a folder with someone else, get them to open the shared folder in the Gallery app and open the sharing window there.Since Nextcloud employes a strict Content-Security-Policy this vulnerability is only exploitable in browsers not supporting Content-Security-Policy. You can check at <a href="http://caniuse.com/#feat=contentsecuritypolicy">caniuse.com</a> whether your browser supports CSP.<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-001">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2016-001</link> <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2016-001</guid> <pubDate>Tue, 19 Jul 2016 10:26:09 +0200</pubDate> diff --git a/advisories/nc-sa-2016-001.php b/advisories/nc-sa-2016-001.php index fdd9fa13..82d542e7 100644 --- a/advisories/nc-sa-2016-001.php +++ b/advisories/nc-sa-2016-001.php @@ -13,10 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/79.html">Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/145355">145355</a></p> <h3>Description</h3> - <p><p>Due to a recent migration of the Gallery app to the new sharing endpoint a parameter changed from an integer to a string value. This value wasn't sanitized before and was thus now vulnerable to a Cross-Site-Scripting attack.</p> -<p>To exploit this vulnerability an authenticated attacker has to share a folder with someone else, get them to open the shared folder in the Gallery app and open the sharing window there.</p> -<p>Since Nextcloud employes a strict Content-Security-Policy this vulnerability is only exploitable in browsers not supporting Content-Security-Policy. You can check at <a href="http://caniuse.com/#feat=contentsecuritypolicy">caniuse.com</a> whether your browser supports CSP.</p> -</p> + <p>Due to a recent migration of the Gallery app to the new sharing endpoint a parameter changed from an integer to a string value. This value wasn't sanitized before and was thus now vulnerable to a Cross-Site-Scripting attack.To exploit this vulnerability an authenticated attacker has to share a folder with someone else, get them to open the shared folder in the Gallery app and open the sharing window there.Since Nextcloud employes a strict Content-Security-Policy this vulnerability is only exploitable in browsers not supporting Content-Security-Policy. You can check at <a href="http://caniuse.com/#feat=contentsecuritypolicy">caniuse.com</a> whether your browser supports CSP.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>9.0.52</strong> (CVE-2016-7419)</li> @@ -26,8 +23,9 @@ </ul> <h3>Action Taken</h3> - <p><p>The user input is now properly sanitised before provided back to the user. </p> -</p> + <p>The user input is now properly sanitised before provided back to the user. </p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 9.0.52.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2016-002.php b/advisories/nc-sa-2016-002.php index b6147a8c..d8f47361 100644 --- a/advisories/nc-sa-2016-002.php +++ b/advisories/nc-sa-2016-002.php @@ -13,9 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/209.html">Cross-Site Scripting Using MIME Type Mismatch (CWE-209)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/146278">146278</a></p> <h3>Description</h3> - <p><p>The "download log" functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the browser as HTML document. Thus any injected data in the log would be executed.</p> -<p>While the document would only be executed locally (thus on another scope) we have decided to fix this to protect our users.</p> -</p> + <p>The "download log" functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the browser as HTML document. Thus any injected data in the log would be executed.While the document would only be executed locally (thus on another scope) we have decided to fix this to protect our users.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>9.0.52</strong> (CVE-2016-9459)</li> @@ -25,8 +23,9 @@ </ul> <h3>Action Taken</h3> - <p><p>The file is now delivered with a content-type of "application/octet-stream".</p> -</p> + <p>The file is now delivered with a content-type of "application/octet-stream".</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 9.0.52.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2016-003.php b/advisories/nc-sa-2016-003.php index 6c95317e..440a0bf3 100644 --- a/advisories/nc-sa-2016-003.php +++ b/advisories/nc-sa-2016-003.php @@ -13,8 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/451.html">User Interface (UI) Misrepresentation of Critical Information (CWE-451)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/145463">145463</a></p> <h3>Description</h3> - <p><p>The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.</p> -</p> + <p>The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>9.0.52</strong> (CVE-2016-9460)</li> @@ -26,8 +25,9 @@ </ul> <h3>Action Taken</h3> - <p><p>The passed parameter is now verified.</p> -</p> + <p>The passed parameter is now verified.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 9.0.52.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2016-004.php b/advisories/nc-sa-2016-004.php index 71bb9680..c65451ff 100644 --- a/advisories/nc-sa-2016-004.php +++ b/advisories/nc-sa-2016-004.php @@ -13,8 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/275.html">Permission Issues (CWE-275)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/145950">145950</a></p> <h3>Description</h3> - <p><p>The WebDAV endpoint was not properly checking the permission on a WebDAV "COPY" action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files.</p> -</p> + <p>The WebDAV endpoint was not properly checking the permission on a WebDAV "COPY" action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>9.0.52</strong> (CVE-2016-9461)</li> @@ -24,8 +23,9 @@ </ul> <h3>Action Taken</h3> - <p><p>The permission check is now also performed on "COPY" actions,</p> -</p> + <p>The permission check is now also performed on "COPY" actions,</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 9.0.52.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2016-005.php b/advisories/nc-sa-2016-005.php index 69152f0f..6352b59d 100644 --- a/advisories/nc-sa-2016-005.php +++ b/advisories/nc-sa-2016-005.php @@ -13,8 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/275.html">Permission Issues (CWE-275)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/146067">146067</a></p> <h3>Description</h3> - <p><p>The restore capability of Nextcloud was not verifying whether an user has only read-only access to a share. Thus an user with read-only access was able to restore old versions.</p> -</p> + <p>The restore capability of Nextcloud was not verifying whether an user has only read-only access to a share. Thus an user with read-only access was able to restore old versions.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>9.0.52</strong> (CVE-2016-9462)</li> @@ -24,8 +23,9 @@ </ul> <h3>Action Taken</h3> - <p><p>The permission check is now also performed on restore actions.</p> -</p> + <p>The permission check is now also performed on restore actions.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 9.0.52.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2016-006.php b/advisories/nc-sa-2016-006.php index 3bb5152b..79df9efc 100644 --- a/advisories/nc-sa-2016-006.php +++ b/advisories/nc-sa-2016-006.php @@ -13,12 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/303.html">Incorrect Implementation of Authentication Algorithms (CWE-303)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/148151">148151</a></p> <h3>Description</h3> - <p><p>Nextcloud includes an optional and not by default enabled SMB authentication component that allows to authenticate users against an SMB server.</p> -<p>This backend is implemented in a way that it tries to connect to a SMB server and if that succeeded consider the user logged-in.</p> -<p>The backend did not properly take into account SMB servers that any kind of anonymous auth configured. This is the default on SMB servers nowadays and allows an unauthenticated attacker to gain access to an account without valid credentials.</p> -<p><strong>Note:</strong> The SMB backend is disabled by default and requires manual configuration in the Nextcloud config file. If you have not configured the SMB backend then you're not affected by this vulnerability.</p> -<p><em><a href="https://rhinosecuritylabs.com/2016/10/operation-ownedcloud-exploitation-post-exploitation-persistence/">The reporter has published a blog post about this issue on their website as well.</a></em></p> -</p> + <p>Nextcloud includes an optional and not by default enabled SMB authentication component that allows to authenticate users against an SMB server.This backend is implemented in a way that it tries to connect to a SMB server and if that succeeded consider the user logged-in.The backend did not properly take into account SMB servers that any kind of anonymous auth configured. This is the default on SMB servers nowadays and allows an unauthenticated attacker to gain access to an account without valid credentials.<strong>Note:</strong> The SMB backend is disabled by default and requires manual configuration in the Nextcloud config file. If you have not configured the SMB backend then you're not affected by this vulnerability.<em><a href="https://rhinosecuritylabs.com/2016/10/operation-ownedcloud-exploitation-post-exploitation-persistence/">The reporter has published a blog post about this issue on their website as well.</a></em></p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>9.0.54</strong> (CVE-2016-9463)</li> @@ -32,8 +27,9 @@ </ul> <h3>Action Taken</h3> - <p><p>The SMB backend is now performing an additional authentication attempt with invalid credentials. If that succeeds as well it assumes that anonymous authentications are enabled and denies the login attempt.</p> -</p> + <p>The SMB backend is now performing an additional authentication attempt with invalid credentials. If that succeeds as well it assumes that anonymous authentications are enabled and denies the login attempt.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 9.0.54 or 10.0.1.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2016-007.php b/advisories/nc-sa-2016-007.php index 4899a5bd..ac5d5862 100644 --- a/advisories/nc-sa-2016-007.php +++ b/advisories/nc-sa-2016-007.php @@ -13,8 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/285.html">Improper Authorization (CWE-285)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/153905">153905</a></p> <h3>Description</h3> - <p><p>The Sharing Backend as implemented in Nextcloud does differentiate between shares to users and groups. In case of a received group share, users should be able to unshare the file to themselves but not to the whole group. The previous API implementation did simply unshare the file to all users in the group.</p> -</p> + <p>The Sharing Backend as implemented in Nextcloud does differentiate between shares to users and groups. In case of a received group share, users should be able to unshare the file to themselves but not to the whole group. The previous API implementation did simply unshare the file to all users in the group.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>9.0.54</strong> (CVE-2016-9464)</li> @@ -30,8 +29,9 @@ </ul> <h3>Action Taken</h3> - <p><p>Additional access control checks have been added to the sharing API.</p> -</p> + <p>Additional access control checks have been added to the sharing API.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 9.0.54 or 10.0.0.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2016-008.php b/advisories/nc-sa-2016-008.php index b59d8cf3..73de2a06 100644 --- a/advisories/nc-sa-2016-008.php +++ b/advisories/nc-sa-2016-008.php @@ -13,9 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/79.html">Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/163338">163338</a></p> <h3>Description</h3> - <p><p>The CardDAV image export functionality as implemented in Nextcloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.</p> -<p><strong>Note:</strong> Nextcloud employs a very strict Content Security Policy on the DAV endpoints. This is thus only exploitable on browsers that don't support Content Security Policy.</p> -</p> + <p>The CardDAV image export functionality as implemented in Nextcloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.<strong>Note:</strong> Nextcloud employs a very strict Content Security Policy on the DAV endpoints. This is thus only exploitable on browsers that don't support Content Security Policy.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>10.0.1</strong> (CVE-2016-9465)</li> @@ -25,8 +23,9 @@ </ul> <h3>Action Taken</h3> - <p><p>The mimetype of the exported image is now compared with a whitelist as well as download disposition headers have been set on the response.</p> -</p> + <p>The mimetype of the exported image is now compared with a whitelist as well as download disposition headers have been set on the response.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 10.0.1.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2016-009.php b/advisories/nc-sa-2016-009.php index 8592fe45..d1aa9818 100644 --- a/advisories/nc-sa-2016-009.php +++ b/advisories/nc-sa-2016-009.php @@ -13,8 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/79.html">Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/165686">165686</a></p> <h3>Description</h3> - <p><p>The gallery app was not properly sanitizing exception messages from the Nextcloud server. Due to an endpoint where an attacker could influence the error message this lead to a reflected Cross-Site-Scripting vulnerability.</p> -</p> + <p>The gallery app was not properly sanitizing exception messages from the Nextcloud server. Due to an endpoint where an attacker could influence the error message this lead to a reflected Cross-Site-Scripting vulnerability.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>10.0.1</strong> (CVE-2016-9466)</li> @@ -24,8 +23,9 @@ </ul> <h3>Action Taken</h3> - <p><p>Error messages are now properly sanitized.</p> -</p> + <p>Error messages are now properly sanitized.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 10.0.1.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2016-010.php b/advisories/nc-sa-2016-010.php index 1c7dfc50..e856c8cf 100644 --- a/advisories/nc-sa-2016-010.php +++ b/advisories/nc-sa-2016-010.php @@ -13,8 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/451.html">User Interface (UI) Misrepresentation of Critical Information (CWE-451)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/154827">154827</a></p> <h3>Description</h3> - <p><p>The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.</p> -</p> + <p>The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>10.0.1</strong> (CVE-2016-9467)</li> @@ -32,8 +31,9 @@ </ul> <h3>Action Taken</h3> - <p><p>The passed parameter is now verified.</p> -</p> + <p>The passed parameter is now verified.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 9.0.54 or 10.0.1.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2016-011.php b/advisories/nc-sa-2016-011.php index c411b83f..8a1e7fb6 100644 --- a/advisories/nc-sa-2016-011.php +++ b/advisories/nc-sa-2016-011.php @@ -13,8 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/451.html">User Interface (UI) Misrepresentation of Critical Information (CWE-451)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/149798">149798</a></p> <h3>Description</h3> - <p><p>The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.</p> -</p> + <p>The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>10.0.1</strong> (CVE-2016-9468)</li> @@ -28,8 +27,9 @@ </ul> <h3>Action Taken</h3> - <p><p>The user-controlled content has been removed from the exception message.</p> -</p> + <p>The user-controlled content has been removed from the exception message.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 9.0.54 or 10.0.1.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2017-001.php b/advisories/nc-sa-2017-001.php index 33b422a5..343304c1 100644 --- a/advisories/nc-sa-2017-001.php +++ b/advisories/nc-sa-2017-001.php @@ -13,9 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/275.html">Permission Issues (CWE-275)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/169680">169680</a></p> <h3>Description</h3> - <p><p>A permission related issue within the OCS sharing API allowed an authenticated adversary to reshare shared files with an increasing permission set. This may allow an attacker to edit files in a share despite having only a 'read' permission set.</p> -<p>Note that this only affects folders and files that the adversary has at least read-only permissions for.</p> -</p> + <p>A permission related issue within the OCS sharing API allowed an authenticated adversary to reshare shared files with an increasing permission set. This may allow an attacker to edit files in a share despite having only a 'read' permission set.Note that this only affects folders and files that the adversary has at least read-only permissions for.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>10.0.2</strong> (CVE-2017-0883)</li> @@ -23,8 +21,9 @@ </ul> <h3>Action Taken</h3> - <p><p>The permissions are now properly checked on the OCS endpoint.</p> -</p> + <p>The permissions are now properly checked on the OCS endpoint.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 9.0.55 or 10.0.2.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2017-002.php b/advisories/nc-sa-2017-002.php index c19340ad..6104208a 100644 --- a/advisories/nc-sa-2017-002.php +++ b/advisories/nc-sa-2017-002.php @@ -13,9 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/275.html">Permission Issues (CWE-275)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/169680">169680</a></p> <h3>Description</h3> - <p><p>Due to a logical error in the file caching layer an authenticated adversary is able to create empty folders inside a shared folder.</p> -<p>Note that this only affects folders and files that the adversary has at least read-only permissions for.</p> -</p> + <p>Due to a logical error in the file caching layer an authenticated adversary is able to create empty folders inside a shared folder.Note that this only affects folders and files that the adversary has at least read-only permissions for.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>10.0.2</strong> (CVE-2017-0884)</li> @@ -23,8 +21,9 @@ </ul> <h3>Action Taken</h3> - <p><p>The file cache operation is now only performed if the file system operation succeeded.</p> -</p> + <p>The file cache operation is now only performed if the file system operation succeeded.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 9.0.55 or 10.0.2.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2017-003.php b/advisories/nc-sa-2017-003.php index ebe7f1d9..53e0ffc0 100644 --- a/advisories/nc-sa-2017-003.php +++ b/advisories/nc-sa-2017-003.php @@ -13,8 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/209.html">Information Exposure Through an Error Message (CWE-209)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/174524">174524</a></p> <h3>Description</h3> - <p><p>Due to an error in the application logic an adversary with access to a write-only share may enumerate the names of existing files and subfolders by comparing the exception messages.</p> -</p> + <p>Due to an error in the application logic an adversary with access to a write-only share may enumerate the names of existing files and subfolders by comparing the exception messages.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>10.0.2</strong> (CVE-2017-0885)</li> @@ -22,8 +21,9 @@ </ul> <h3>Action Taken</h3> - <p><p>The error in the application logic has been addressed.</p> -</p> + <p>The error in the application logic has been addressed.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 9.0.55 or 10.0.2.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2017-004.php b/advisories/nc-sa-2017-004.php index a653ebe3..8af2a905 100644 --- a/advisories/nc-sa-2017-004.php +++ b/advisories/nc-sa-2017-004.php @@ -13,8 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/674.html">Uncontrolled Recursion (CWE-674)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/174524">174524</a></p> <h3>Description</h3> - <p><p>Due to an error in the application logic an authenticated adversary may trigger an endless recursion in the application leading to a potential Denial of Service.</p> -</p> + <p>Due to an error in the application logic an authenticated adversary may trigger an endless recursion in the application leading to a potential Denial of Service.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>10.0.2</strong> (CVE-2017-0886)</li> @@ -22,8 +21,9 @@ </ul> <h3>Action Taken</h3> - <p><p>The code path leading to the endless recursion is now properly handled.</p> -</p> + <p>The code path leading to the endless recursion is now properly handled.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 9.0.55 or 10.0.2.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2017-005.php b/advisories/nc-sa-2017-005.php index 85567514..23d9e1a7 100644 --- a/advisories/nc-sa-2017-005.php +++ b/advisories/nc-sa-2017-005.php @@ -13,8 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/807.html">Reliance on Untrusted Inputs in a Security Decision (CWE-807)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/173622">173622</a></p> <h3>Description</h3> - <p><p>Due to not properly sanitzing values provided by the `OC-Total-Length` HTTP header an authenticated adversary may be able to exceed their configured user quota. Thus using more space than allowed by the administrator.</p> -</p> + <p>Due to not properly sanitzing values provided by the `OC-Total-Length` HTTP header an authenticated adversary may be able to exceed their configured user quota. Thus using more space than allowed by the administrator.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>10.0.2</strong> (CVE-2017-0887)</li> @@ -22,8 +21,9 @@ </ul> <h3>Action Taken</h3> - <p><p>The `OC-Total-Length` HTTP header is now properly sanitized.</p> -</p> + <p>The `OC-Total-Length` HTTP header is now properly sanitized.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 9.0.55 or 10.0.2.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2017-006.php b/advisories/nc-sa-2017-006.php index af9b18d1..f2e0e1b4 100644 --- a/advisories/nc-sa-2017-006.php +++ b/advisories/nc-sa-2017-006.php @@ -13,8 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/451.html">User Interface (UI) Misrepresentation of Critical Information (CWE-451)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/179073">179073</a></p> <h3>Description</h3> - <p><p>The top navigation bar displayed in the files list contained partially user-controllable input leading to a potential misrepresentation of information.</p> -</p> + <p>The top navigation bar displayed in the files list contained partially user-controllable input leading to a potential misrepresentation of information.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>10.0.2</strong> (CVE-2017-0888)</li> @@ -22,8 +21,9 @@ </ul> <h3>Action Taken</h3> - <p><p>The user-controlled content is now not trusted anymore unless the folder structure exists on the file system.</p> -</p> + <p>The user-controlled content is now not trusted anymore unless the folder structure exists on the file system.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 9.0.55 or 10.0.2.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2017-007.php b/advisories/nc-sa-2017-007.php index 8f18d00d..ce569027 100644 --- a/advisories/nc-sa-2017-007.php +++ b/advisories/nc-sa-2017-007.php @@ -13,16 +13,16 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/79.html">Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/213227">213227</a></p> <h3>Description</h3> - <p><p>Inadequate escaping lead to XSS vulnerability in the search module. To be exploitable an user has to write or paste malicious content into the search dialogue.</p> -</p> + <p>Inadequate escaping lead to XSS vulnerability in the search module. To be exploitable an user has to write or paste malicious content into the search dialogue.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>11.0.3</strong> (CVE-2017-0890)</li> </ul> <h3>Action Taken</h3> - <p><p>The content is now properly escaped, furthermore for Nextcloud 12 we have <a href="https://statuscode.ch/2017/03/CSP-unsafe-eval-and-jquery/">hardened jQuery</a> to prevent such CSP bypasses.</p> -</p> + <p>The content is now properly escaped, furthermore for Nextcloud 12 we have <a href="https://statuscode.ch/2017/03/CSP-unsafe-eval-and-jquery/">hardened jQuery</a> to prevent such CSP bypasses.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 11.0.3.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2017-008.php b/advisories/nc-sa-2017-008.php index baf40e7a..f79c9e4d 100644 --- a/advisories/nc-sa-2017-008.php +++ b/advisories/nc-sa-2017-008.php @@ -13,9 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/79.html">Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/216812">216812</a></p> <h3>Description</h3> - <p><p>Inadequate escaping of error messages leads to XSS vulnerabilities in multiple components.</p> -<p>Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers.</p> -</p> + <p>Inadequate escaping of error messages leads to XSS vulnerabilities in multiple components.Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>11.0.3</strong> (CVE-2017-0891)</li> @@ -24,8 +22,9 @@ </ul> <h3>Action Taken</h3> - <p><p>Error messages are now properly escaped.</p> -</p> + <p>Error messages are now properly escaped.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 9.0.58, 10.0.5 or 11.0.3.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2017-009.php b/advisories/nc-sa-2017-009.php index 36470dca..6cec9289 100644 --- a/advisories/nc-sa-2017-009.php +++ b/advisories/nc-sa-2017-009.php @@ -13,16 +13,16 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/285.html">Improper Authorization (CWE-285)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/191979">191979</a></p> <h3>Description</h3> - <p><p>Improper session handling allowed an application specific password without permission to the files access to the users file.</p> -</p> + <p>Improper session handling allowed an application specific password without permission to the files access to the users file.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>11.0.3</strong> (CVE-2017-0892)</li> </ul> <h3>Action Taken</h3> - <p><p>The permission check has been corrected and reviewed.</p> -</p> + <p>The permission check has been corrected and reviewed.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 11.0.3.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2017-010.php b/advisories/nc-sa-2017-010.php index 724ded84..5da779f0 100644 --- a/advisories/nc-sa-2017-010.php +++ b/advisories/nc-sa-2017-010.php @@ -13,9 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/79.html">Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/222838">222838</a></p> <h3>Description</h3> - <p><p>A JavaScript library used by Nextcloud for sanitizing untrusted user-input suffered from a XSS vulnerability caused by a behaviour change in Safari 10.1 and 10.2.</p> -<p>Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers.</p> -</p> + <p>A JavaScript library used by Nextcloud for sanitizing untrusted user-input suffered from a XSS vulnerability caused by a behaviour change in Safari 10.1 and 10.2.Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>11.0.3</strong> (CVE-2017-0893)</li> @@ -24,8 +22,9 @@ </ul> <h3>Action Taken</h3> - <p><p>The vulnerable library has been updated.</p> -</p> + <p>The vulnerable library has been updated.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 9.0.58, 10.0.5 or 11.0.3.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2017-011.php b/advisories/nc-sa-2017-011.php index 66adc256..09c00c16 100644 --- a/advisories/nc-sa-2017-011.php +++ b/advisories/nc-sa-2017-011.php @@ -13,16 +13,16 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/548.html">Information Exposure Through Directory Listing (CWE-548)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/218876">218876</a></p> <h3>Description</h3> - <p><p>A logical error caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token.</p> -</p> + <p>A logical error caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>11.0.3</strong> (CVE-2017-0894)</li> </ul> <h3>Action Taken</h3> - <p><p>The error has been fixed and regression tests been added.</p> -</p> + <p>The error has been fixed and regression tests been added.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 11.0.3.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2017-012.php b/advisories/nc-sa-2017-012.php index 304d466c..30efe2c4 100644 --- a/advisories/nc-sa-2017-012.php +++ b/advisories/nc-sa-2017-012.php @@ -13,8 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/548.html">Information Exposure Through Directory Listing (CWE-548)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/203594">203594</a></p> <h3>Description</h3> - <p><p>A logical error caused disclosure of calendar and addressbook names to other logged-in users. Note that no actual content of the calendar and adressbook has been disclosed.</p> -</p> + <p>A logical error caused disclosure of calendar and addressbook names to other logged-in users. Note that no actual content of the calendar and adressbook has been disclosed.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>11.0.2</strong> (CVE-2017-0895)</li> @@ -22,8 +21,9 @@ </ul> <h3>Action Taken</h3> - <p><p>The error has been fixed and regression tests been added.</p> -</p> + <p>The error has been fixed and regression tests been added.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 11.0.3.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2018-001.php b/advisories/nc-sa-2018-001.php index 641d3714..867b375c 100644 --- a/advisories/nc-sa-2018-001.php +++ b/advisories/nc-sa-2018-001.php @@ -13,8 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/639.html">Authorization Bypass Through User-Controlled Key (CWE-639)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/297751">297751</a></p> <h3>Description</h3> - <p><p>A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user.</p> -</p> + <p>A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>12.0.5</strong> (CVE-2017-0936)</li> @@ -22,8 +21,9 @@ </ul> <h3>Action Taken</h3> - <p><p>The error has been fixed and regression tests been added.</p> -</p> + <p>The error has been fixed and regression tests been added.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 12.0.5.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2018-002.php b/advisories/nc-sa-2018-002.php index f30e06a1..5ec73f02 100644 --- a/advisories/nc-sa-2018-002.php +++ b/advisories/nc-sa-2018-002.php @@ -13,8 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/273.html">Improper Check for Dropped Privileges (CWE-273)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/358339">358339</a></p> <h3>Description</h3> - <p><p>A missing check for read permissions allowed users that received an incomming share containing files tagged so they should be denied access to still request a preview for those files.</p> -</p> + <p>A missing check for read permissions allowed users that received an incomming share containing files tagged so they should be denied access to still request a preview for those files.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>13.0.3</strong> (CVE-2018-3762)</li> @@ -22,8 +21,9 @@ </ul> <h3>Action Taken</h3> - <p><p>The error has been fixed and regression tests been added.</p> -</p> + <p>The error has been fixed and regression tests been added.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 13.0.3.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2018-003.php b/advisories/nc-sa-2018-003.php index fe4470d1..668dc68e 100644 --- a/advisories/nc-sa-2018-003.php +++ b/advisories/nc-sa-2018-003.php @@ -13,8 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/20.html">Improper Input Validation (CWE-20)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/343111">343111</a></p> <h3>Description</h3> - <p><p>Improper validation of input allowed an attacker with access to the OAuth2 refresh token to obtain new tokens.</p> -</p> + <p>Improper validation of input allowed an attacker with access to the OAuth2 refresh token to obtain new tokens.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>13.0.3</strong> (CVE-2018-3761)</li> @@ -22,8 +21,9 @@ </ul> <h3>Action Taken</h3> - <p><p>The error has been fixed according to RFC6749.</p> -</p> + <p>The error has been fixed according to RFC6749.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 13.0.3.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2018-004.php b/advisories/nc-sa-2018-004.php index c7705f35..44d4a3a8 100644 --- a/advisories/nc-sa-2018-004.php +++ b/advisories/nc-sa-2018-004.php @@ -13,8 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/79.html">Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)</a></p> <h3>Description</h3> - <p><p>A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins.</p> -</p> + <p>A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Calendar < <strong>1.6.1</strong> (CVE-2018-3763)</li> @@ -22,8 +21,9 @@ </ul> <h3>Action Taken</h3> - <p><p>The error has been fixed.</p> -</p> + <p>The error has been fixed.</p> + <h3>Resolution</h3> + <p>It is recommended that the calendar app is upgraded to 1.6.1.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2018-005.php b/advisories/nc-sa-2018-005.php index 468427f4..c996487a 100644 --- a/advisories/nc-sa-2018-005.php +++ b/advisories/nc-sa-2018-005.php @@ -13,16 +13,16 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/79.html">Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)</a></p> <h3>Description</h3> - <p><p>A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins.</p> -</p> + <p>A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Contacts < <strong>2.1.2</strong> (CVE-2018-3764)</li> </ul> <h3>Action Taken</h3> - <p><p>The error has been fixed.</p> -</p> + <p>The error has been fixed.</p> + <h3>Resolution</h3> + <p>It is recommended that the contacts app is upgraded to 2.1.2.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2018-006.php b/advisories/nc-sa-2018-006.php index 746bd2ea..c7517395 100644 --- a/advisories/nc-sa-2018-006.php +++ b/advisories/nc-sa-2018-006.php @@ -13,8 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/20.html">Improper Input Validation (CWE-20)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/232347">232347</a></p> <h3>Description</h3> - <p><p>Improper validation of input allowed an attacker to not have their actions logged to the audit log.</p> -</p> + <p>Improper validation of input allowed an attacker to not have their actions logged to the audit log.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>12.0.3</strong> (2018-3776)</li> @@ -22,8 +21,9 @@ </ul> <h3>Action Taken</h3> - <p><p>The error has been fixed.</p> -</p> + <p>The error has been fixed.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to at least Nextcloud 12.0.3.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2018-007.php b/advisories/nc-sa-2018-007.php index 84345974..d26300c9 100644 --- a/advisories/nc-sa-2018-007.php +++ b/advisories/nc-sa-2018-007.php @@ -13,16 +13,16 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/287.html">Improper Authentication - Generic (CWE-287)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/248656">248656</a></p> <h3>Description</h3> - <p><p>Improper authentication of the second factor challenge would allow an attacker that had access to user credentials to bypass the second factor validation completely.</p> -</p> + <p>Improper authentication of the second factor challenge would allow an attacker that had access to user credentials to bypass the second factor validation completely.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>12.0.3</strong> (2018-3775)</li> </ul> <h3>Action Taken</h3> - <p><p>The error has been fixed and regression tests are in place.</p> -</p> + <p>The error has been fixed and regression tests are in place.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded at least to Nextcloud 12.0.3.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2018-008.php b/advisories/nc-sa-2018-008.php index 67bc940e..c3bc99a4 100644 --- a/advisories/nc-sa-2018-008.php +++ b/advisories/nc-sa-2018-008.php @@ -13,16 +13,16 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/79.html">Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)</a></p> <h3>Description</h3> - <p><p>A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users.</p> -</p> + <p>A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>13.0.5</strong> (CVE-2018-3780)</li> </ul> <h3>Action Taken</h3> - <p><p>The error has been fixed.</p> -</p> + <p>The error has been fixed.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 13.0.5.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2018-009.php b/advisories/nc-sa-2018-009.php index ab0c3b07..00d7f5c4 100644 --- a/advisories/nc-sa-2018-009.php +++ b/advisories/nc-sa-2018-009.php @@ -13,16 +13,16 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/79.html">Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)</a></p> <h3>Description</h3> - <p><p>A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users.</p> -</p> + <p>A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Talk < <strong>3.2.5</strong> (CVE-2018-3781)</li> </ul> <h3>Action Taken</h3> - <p><p>The error has been fixed.</p> -</p> + <p>The error has been fixed.</p> + <h3>Resolution</h3> + <p>It is recommended that the Talk app is upgraded to 3.2.5.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2018-010.php b/advisories/nc-sa-2018-010.php index 0ff63b42..b2b0d5cc 100644 --- a/advisories/nc-sa-2018-010.php +++ b/advisories/nc-sa-2018-010.php @@ -13,8 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/284.html">Improper Access Control - Generic (CWE-284)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/388515">388515</a></p> <h3>Description</h3> - <p><p>Improper revalidation of permissions lead to not accepting access restrictions by acess tokens.</p> -</p> + <p>Improper revalidation of permissions lead to not accepting access restrictions by acess tokens.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>14.0.0</strong> (CVE assignment pending)</li> @@ -23,8 +22,9 @@ </ul> <h3>Action Taken</h3> - <p><p>The error has been fixed.</p> -</p> + <p>The error has been fixed.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 14.0.0, Nextcloud 13.0.6 or Nextcloud 12.0.11.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2018-011.php b/advisories/nc-sa-2018-011.php index 81e0a10b..413c5d65 100644 --- a/advisories/nc-sa-2018-011.php +++ b/advisories/nc-sa-2018-011.php @@ -13,16 +13,16 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/287.html">Improper Authentication - Generic (CWE-287)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/317711">317711</a></p> <h3>Description</h3> - <p><p>Missing state would not enforce the use of a second factor at login if the the provider of the second factor failed to load.</p> -</p> + <p>Missing state would not enforce the use of a second factor at login if the the provider of the second factor failed to load.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>14.0.0</strong> (CVE assignment pending)</li> </ul> <h3>Action Taken</h3> - <p><p>The error has been fixed.</p> -</p> + <p>The error has been fixed.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 14.0.0.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2018-012.php b/advisories/nc-sa-2018-012.php index 20d49e44..388aa6a7 100644 --- a/advisories/nc-sa-2018-012.php +++ b/advisories/nc-sa-2018-012.php @@ -13,16 +13,16 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/287.html">Improper Authentication - Generic (CWE-287)</a></p> <h3>Description</h3> - <p><p>A missing access check could lead to continued access to password protected link shares when the owner had changed the password.</p> -</p> + <p>A missing access check could lead to continued access to password protected link shares when the owner had changed the password.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>14.0.0</strong> (CVE assignment pending)</li> </ul> <h3>Action Taken</h3> - <p><p>The error has been fixed.</p> -</p> + <p>The error has been fixed.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 14.0.0.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2018-013.php b/advisories/nc-sa-2018-013.php index 8ef47b63..a45b0f2c 100644 --- a/advisories/nc-sa-2018-013.php +++ b/advisories/nc-sa-2018-013.php @@ -13,8 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/384.html">Session Fixation (CWE-384)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/237184">237184</a></p> <h3>Description</h3> - <p><p>A bug causing session fixation could potentially allow an attacker to obtain access to password protected shares.</p> -</p> + <p>A bug causing session fixation could potentially allow an attacker to obtain access to password protected shares.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>14.0.0</strong> (CVE assignment pending)</li> @@ -23,8 +22,9 @@ </ul> <h3>Action Taken</h3> - <p><p>The error has been fixed.</p> -</p> + <p>The error has been fixed.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to at least Nextcloud 14.0.0, Nextcloud 13.0.3 or Nextcloud 12.0.8.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> diff --git a/advisories/nc-sa-2018-014.php b/advisories/nc-sa-2018-014.php index 10b444f1..f16b51fc 100644 --- a/advisories/nc-sa-2018-014.php +++ b/advisories/nc-sa-2018-014.php @@ -13,16 +13,16 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/287.html">Improper Authentication (CWE-287)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/231917">231917</a></p> <h3>Description</h3> - <p><p>A missing check could give unauthorized access to the previews of single file password protected shares.</p> -</p> + <p>A missing check could give unauthorized access to the previews of single file password protected shares.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>14.0.0</strong> (CVE assignment pending)</li> </ul> <h3>Action Taken</h3> - <p><p>The error has been fixed.</p> -</p> + <p>The error has been fixed.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 14.0.0.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> |