Nextcloud Security Advisories RSS Feed

Security Advisories are moving to GitHub Security Advisories

Wed, 2 Jun 2021 10:00:00 +0100

We have moved our new security advisories to GitHub Security Advisories. If you rely on a RSS feed, you can find alternatives discussed in https://github.com/nextcloud/security-advisories/discussions/25.

Desktop Client: Missing URL validation allowed RCE for the server on the Desktop client (NC-SA-2021-008)

Wed, 24 Feb 2021 12:00:00 +0100

Missing validation of URLs in Nextcloud Desktop Client 3.1.2 and earlier allowed a malicious server to execute code on the client. User interaction was required.

For more information please consult the official advisory.

Deck App: New users can read all Nextcloud Deck data from previous user with same username (NC-SA-2021-007)

Wed, 03 Jun 2020 12:00:00 +0200

A logic error in Nextcloud Deck 1.0.1 allowed new users with a duplicate user identifier to use deck data of a previous deleted user.

For more information please consult the official advisory.

Server: External storage app saves password for all users in the database (NC-SA-2021-006)

Sat, 03 Oct 2020 12:00:00 +0200

A missing condition in Nextcloud Server 19 and prior caused the external storage app to always store the users password in a recoverable format.

For more information please consult the official advisory.

Server: Reflected XSS when renaming malicious file (NC-SA-2021-005)

Mon, 25 Jan 2021 12:00:00 +0100

Missing sanitization in Nextcloud Server 20.0.5 and prior allowed to perform a reflected XSS when saving html as file name and causing an error on rename e.g. by renaming to an existing file. The risk is mostly mitigated due to the strict Content-Security-Policy (CSP) of Nextcloud, and thus mainly targets browsers not supporting CSP such as Internet Explorer.

For more information please consult the official advisory.

Server: External storage credentials stored for wrong user (NC-SA-2021-004)

Mon, 25 Jan 2021 12:00:00 +0100

A missing user check in Nextcloud 20.0.5 and prior allowed to populate your own credentials for other users external storage configuration when they did not configure one yet.

For more information please consult the official advisory.

Server: Denial of Service by requesting to reset a password (NC-SA-2021-003)

Sat, 03 Oct 2020 14:00:00 +0200

A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user.

For more information please consult the official advisory.

Server: Stored XSS in markdown file with Nextcloud Talk using Internet Explorer (NC-SA-2021-002)

Wed, 18 Nov 2020 13:00:00 +0100

A missing link validation in Nextcloud Server 20.0.1 allowed to execute a stored XSS attack on Internet Explorer users by saving a javascript url in a Markdown.

For more information please consult the official advisory.

Server: Potential DDoS when posting long data into workflow validation rules (NC-SA-2021-001)

Wed, 18 Nov 2020 13:00:00 +0100

A missing input validation in Nextcloud Server 20.0.1 allowed users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules.

For more information please consult the official advisory.

Contacts App: XSS through image upload of contacts using svg file (NC-SA-2020-045)

Tue, 20 Oct 2020 14:00:00 +0200

A missing file type check in Nextcloud Contacts 3.3.0 allowed a malicious user to upload malicious SVG files to perform XSS attacks.

For more information please consult the official advisory.

Contacts App: XSS through image upload on contacts using svg file with png extension (NC-SA-2020-044)

Tue, 20 Oct 2020 14:00:00 +0200

A missing file type check in Nextcloud Contacts 3.4.0 allowed a malicious user to upload SVG files as PNG files to perform XSS attacks.

For more information please consult the official advisory.

Social App: Social App does not validate server certificates for outgoing connections (NC-SA-2020-043)

Thu, 15 Oct 2020 14:00:00 +0200

Missing validation of server certificates for out-going connections allowed a man-in-the-middle attack.

For more information please consult the official advisory.

Social App: Improper access control to messages of Social app (NC-SA-2020-042)

Thu, 15 Oct 2020 14:00:00 +0200

Improper access control in Social app 0.3.1 allowed to read posts of any user.

For more information please consult the official advisory.

Server: Improper integrity protection of server-side encryption keys (NC-SA-2020-041)

Sat, 03 Oct 2020 14:00:00 +0200

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the encryption keys.

For more information please consult the official advisory.

Server: Improper confidentiality protection of server-side encryption keys (NC-SA-2020-040)

Sat, 03 Oct 2020 14:00:00 +0200

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the public key to decrypt them later on.

For more information please consult the official advisory.

Server: Downgrade encryption scheme and break integrity through known-plaintext attack (NC-SA-2020-039)

Wed, 26 Aug 2020 02:00:00 +0200

A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files.

For more information please consult the official advisory.

Server: Message Authentication Codes calculated by the Default Encryption Module allow an attacker to silently overwrite blocks in a file (NC-SA-2020-038)

Wed, 26 Aug 2020 02:00:00 +0200

A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file.

For more information please consult the official advisory.

Server: PIN for passwordless WebAuthn is asked for but not verified (NC-SA-2020-037)

Tue, 25 Aug 2020 14:00:00 +0200

A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless WebAuthn is also a two factor verification by asking for the PIN of the passwordless WebAuthn but not verifying it.

For more information please consult the official advisory.

Deck App: Access control missing while viewing the attachments in the 'All boards' (NC-SA-2020-036)

Wed, 15 Jul 2020 14:00:00 +0200

Missing access control in Nextcloud Deck 1.0.4 caused an insecure direct object reference allowing an attacker to view all attachments.

For more information please consult the official advisory.

Desktop Client: Missing memory corruption protection on Windows release built (NC-SA-2020-035)

Fri, 10 Jul 2020 14:00:00 +0200

Missing ASLR and DEP protections in Nextcloud Desktop Client 2.6.4 for windows allowed to corrupt memory.

For more information please consult the official advisory.

Desktop Client: Memory Leak in OCUtil.dll library in Desktop client can lead to DoS (NC-SA-2020-034)

Fri, 10 Jul 2020 14:00:00 +0200

A memory leak in the OCUtil.dll library used by Nextcloud Desktop Client 2.6.4 can lead to a DoS against the host system.

For more information please consult the official advisory.

Preferred providers: Missing rate limit on signup page (NC-SA-2020-033)

Mon, 03 Aug 2020 14:00:00 +0200

A missing rate limit in the Preferred Providers app 1.7.0 allowed an attacker to set the password an uncontrolled amount of times.

For more information please consult the official advisory.

Desktop Client: Linux client is vulnerable to directory traversal when downloading files (NC-SA-2020-032)

Fri, 10 Jul 2020 14:00:00 +0200

Missing sanitization of a server response in Nextcloud Desktop Client 2.6.4 for Linux allowed a malicious Nextcloud Server to store files outside of the dedicated sync directory.

For more information please consult the official advisory.

Desktop Client: Clear text storage of proxy parameters and passwords (NC-SA-2020-031)

Fri, 10 Jul 2020 14:00:00 +0200

A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.

For more information please consult the official advisory.

Desktop Client: Arbitrary code execution in desktop client via OpenSSL config (NC-SA-2020-030)

Fri, 10 Jul 2020 14:00:00 +0200

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL config into a fixed directory.

For more information please consult the official advisory.

Server: Re-Sharing allows increase of privileges (NC-SA-2020-029)

Thu, 16 Jul 2020 14:00:00 +0200

A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to reshare with higher permissions than they got assigned themselves.

For more information please consult the official advisory.

Preferred providers: Possible denial of service when entering a long password (NC-SA-2020-028)

Tue, 16 Jun 2020 14:00:00 +0200

Improper check of inputs in Preferred providers app 1.6.0 allowed to perform a denial of service attack when using a very long password.

For more information please consult the official advisory.

Desktop Client: XSS in desktop client via invalid server address on login form (NC-SA-2020-027)

Fri, 10 Jul 2020 14:00:00 +0200

A cross-site scripting error in Nextcloud Desktop client 2.6.4 allowed to present any html (including local links) when responding with invalid data on the login attempt.

For more information please consult the official advisory.

Server: Password of share by mail is not hashed when given on the create share call (NC-SA-2020-026)

Thu, 04 Jun 2020 14:00:00 +0200

A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call.

For more information please consult the official advisory.

Deck App: Missing permission check on resharing a board (NC-SA-2020-025)

Wed, 08 Apr 2020 14:00:00 +0200

Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permissions than they had themselves.

For more information please consult the official advisory.

Contacts App: Limit contacts photo uploading to images (NC-SA-2020-024)

Thu, 16 Apr 2020 14:00:00 +0200

A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars.

For more information please consult the official advisory.

Server: Increase random used for encryption (NC-SA-2020-023)

Thu, 04 Jun 2020 14:00:00 +0200

A too small set of random characters being used for encryption in Nextcloud Server 18.0.4 allowed decryption in shorter time than intended.

For more information please consult the official advisory.

Deck App: Improper access control allows injecting tasks into other users decks (NC-SA-2020-022)

Fri, 15 May 2020 14:00:00 +0200

Improper access control in Nextcloud Deck 1.0.0 allowed an attacker to inject tasks into other users decks.

For more information please consult the official advisory.

Talk App: Code injection possible with malformed Nextcloud Talk chat commands (NC-SA-2020-021)

Mon, 20 Apr 2020 14:00:00 +0200

A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk command was added by an administrator.

For more information please consult the official advisory.

Mail App: Mail app not verifying TLS host of mail servers (NC-SA-2020-020)

Tue, 24 Mar 2020 13:00:00 +0100

A missing verification of the TLS host in Nextcloud Mail 1.1.3 allowed a man in the middle attack.

For more information please consult the official advisory.

Server: XSS in Files PDF viewer (NC-SA-2020-019)

Wed, 18 Mar 2020 13:00:00 +0100

An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF.

For more information please consult the official advisory.

Server: Missing ownership check on remote wipe endpoint (NC-SA-2020-018)

Wed, 18 Mar 2020 13:00:00 +0100

An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint.

For more information please consult the official advisory.

Groupfolders App: Renaming an item to a protected hidden folder deletes the target (NC-SA-2020-017)

Mon, 15 Jul 2019 14:00:00 +0200

Improper access control in Groupfolders app 4.0.3 allowed to delete hidden directories when when renaming an accessible item to the same name.

For more information please consult the official advisory.

Desktop Client: Code injection in Nextcloud Desktop Client for macOS (NC-SA-2020-016)

Mon, 17 Feb 2020 01:00:00 +0100

A code injection in Nextcloud Desktop Client 2.6.2 for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment.

For more information please consult the official advisory.

Server: Secure view shares can be downloaded by manipulating the URL (NC-SA-2020-015)

Fri, 07 Feb 2020 01:00:00 +0100

A missing access control check in Nextcloud Server 18.0.0 causes hide-download shares to be downloadable when appending /download to the URL.

For more information please consult the official advisory.

Server: SSRF protection bypass in calendar subscriptions (NC-SA-2020-014)

Thu, 12 Dec 2019 01:00:00 +0100

A missing check for IPv4 nested inside IPv6 in Nextcloud server 17.0.1 allowed a SSRF when subscribing to a malicious calendar URL.

For more information please consult the official advisory.

Server: Event details leaked when sharing a non-public calendar event (NC-SA-2020-013)

Thu, 15 Nov 2018 01:00:00 +0100

Improper preservation of permissions in Nextcloud Server 14.0.3 causes the event details to be leaked when sharing a non-public event.

For more information please consult the official advisory.

Server: Improper permission preservation on reshares (NC-SA-2020-012)

Thu, 27 Jun 2019 02:00:00 +0200

Improper permissions preservation in Nextcloud Server 16.0.1 causes sharees to be able to reshare with write permissions when sharing the mount point of a share they received, as a public link.

For more information please consult the official advisory.

Talk App: Name of private conversations leaked when linked via projects to a shared item (NC-SA-2020-011)

Mon, 29 Jul 2019 02:00:00 +0200

Improper access control in Nextcloud Talk 6.0.3 leaks the existance and the name of private conversations when linked them to another shared item via the projects feature.

For more information please consult the official advisory.

Deck App: Improper neutralization of item names in projects feature (NC-SA-2020-010)

Mon, 29 Jul 2019 02:00:00 +0200

Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project.

For more information please consult the official advisory.

Talk App: Improper neutralization of item names in projects feature (NC-SA-2020-009)

Mon, 29 Jul 2019 02:00:00 +0200

For more information please consult the official advisory.

Server: Improper neutralization of item names in projects feature (NC-SA-2020-008)

Mon, 29 Jul 2019 02:00:00 +0200

For more information please consult the official advisory.

Server: Reflected XSS in redirect of the Updater (NC-SA-2020-007)

Tue, 26 Mar 2019 01:00:00 +0100

Missing escaping of HTML in the Updater of Nextcloud 15.0.5 allowed a reflected XSS when starting the updater from a malicious location.

For more information please consult the official advisory.

Server: Duplicate setup of second factor allowed (NC-SA-2020-006)

Fri, 25 Oct 2019 02:00:00 +0200

A missing check in Nextcloud Server 17.0.0 allowed an attacker to set up a new second factor when trying to login.

For more information please consult the official advisory.

Server: Missing default timeout on HTTP requests (NC-SA-2020-005)

Wed, 04 Sep 2019 02:00:00 +0200

Dangling remote share attempts in Nextcloud 16 allow a DNS pollution when running long.

For more information please consult the official advisory.

Android App: Bypass lock protection in Android app (NC-SA-2020-004)

Thu, 05 Dec 2019 01:00:00 +0100

A wrong check for the system time in the Android App 3.9.0 causes a bypass of the lock protection when changing the time of the system to the past.

For more information please consult the official advisory.

iOS App: Missing sanitization in iOS App allows XSS (NC-SA-2020-003)

Wed, 20 Nov 2019 01:00:00 +0100

Missing sanitization in the iOS App 2.24.4 causes an XSS when opening malicious HTML files.

For more information please consult the official advisory.

Server: Workflow rules only check the file extension for the mimetype instead of the content (NC-SA-2020-002)

Wed, 04 Dec 2019 01:00:00 +0100

A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend their behaviour on the file extension when checking file mimetypes.

For more information please consult the official advisory.

Server: 2FA sessions not properly expired on password change (NC-SA-2020-001)

Mon, 01 Apr 2019 02:00:00 +0200

A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset.

For more information please consult the official advisory.

Server: Reflected XSS in svg logo generation (NC-SA-2019-018)

Fri, 02 Aug 2019 14:00:00 +0200

A reflected Cross-Site Scripting vunerability was discovered in the svg generation.

For more information please consult the official advisory.

iOS App: Login and token disclosure to other Nextcloud services (NC-SA-2019-017)

Tue, 12 Nov 2019 13:00:00 +0100

Violation of Secure Design Principles in the iOS App 2.23.0 causes the app to leak its login and token to other Nextcloud services when search e.g. for federated users or registering for push notifications.

For more information please consult the official advisory.

Server: User IDs and Nextcloud server leaked to Nextcloud Lookup server with disabled settings (NC-SA-2019-016)

Wed, 26 Jun 2019 14:00:00 +0200

Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled.

For more information please consult the official advisory.

Server: Group admins can create users with IDs of system folders (NC-SA-2019-015)

Mon, 12 Aug 2019 14:00:00 +0200

Improper Input Validation in Nextcloud Server 15.0.7 allows group admins to create users with IDs of system folders.

For more information please consult the official advisory.

Server: Server-Side request forgery in New-Subscription feature of the calendar app (NC-SA-2019-014)

Thu, 04 Jul 2019 14:00:00 +0200

An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and remote services when adding a new subscription in the calendar application.

For more information please consult the official advisory.

Circles App: Removing emails from circles does not revoke access to shared items (NC-SA-2019-013)

Sun, 06 Oct 2019 14:00:00 +0200

Improper authorization in the Circles app 0.17.7 causes retaining access when an email address was removed from a circle.

For more information please consult the official advisory.

Server: File-drop content is visible through the gallery app (NC-SA-2019-012)

Tue, 22 Oct 2019 14:00:00 +0200

Improper authorization in Nextcloud server 17.0.0 causes leaking of previews and files when a file-drop share link is opened via the gallery app.

For more information please consult the official advisory.

Android App: Query restriction bypass on exposed FileContentProvider in Android app (NC-SA-2019-011)