1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
<?xml version="1.0" encoding="UTF-8" ?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Nextcloud Security Advisories RSS Feed</title>
<link>https://nextcloud.com/security/advisories/</link>
<description>The Nextcloud security advisories as a RSS feed</description>
<ttl>1800</ttl><item>
<title>Server: Content-Spoofing in "dav" app (nC-SA-2016-011)</title>
<description><p>The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-011">For more information please consult the official advisory.</a></strong></p></description>
<link>https://nextcloud.com/security/advisory/?id=nC-SA-2016-011</link>
<guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2016-011</guid>
<pubDate>Mon, 10 Oct 2016 13:21:06 +0200</pubDate>
</item><item>
<title>Server: Content-Spoofing in "files" app (nC-SA-2016-010)</title>
<description><p>The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-010">For more information please consult the official advisory.</a></strong></p></description>
<link>https://nextcloud.com/security/advisory/?id=nC-SA-2016-010</link>
<guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2016-010</guid>
<pubDate>Mon, 10 Oct 2016 13:21:06 +0200</pubDate>
</item><item>
<title>Server: Reflected XSS in Gallery application (nC-SA-2016-009)</title>
<description><p>The gallery app was not properly sanitizing exception messages from the Nextcloud server. Due to an endpoint where an attacker could influence the error message this lead to a reflected Cross-Site-Scripting vulnerability.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-009">For more information please consult the official advisory.</a></strong></p></description>
<link>https://nextcloud.com/security/advisory/?id=nC-SA-2016-009</link>
<guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2016-009</guid>
<pubDate>Mon, 10 Oct 2016 13:21:06 +0200</pubDate>
</item><item>
<title>Server: Stored XSS in CardDAV image export (nC-SA-2016-008)</title>
<description><p>The CardDAV image export functionality as implemented in Nextcloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.</p><p><strong>Note:</strong> Nextcloud employs a very strict Content Security Policy on the DAV endpoints. This is thus only exploitable on browsers that don't support Content Security Policy.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-008">For more information please consult the official advisory.</a></strong></p></description>
<link>https://nextcloud.com/security/advisory/?id=nC-SA-2016-008</link>
<guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2016-008</guid>
<pubDate>Mon, 10 Oct 2016 13:21:06 +0200</pubDate>
</item><item>
<title>Server: Improper authorization check on removing shares (nC-SA-2016-007)</title>
<description><p>The Sharing Backend as implemented in Nextcloud does differentiate between shares to users and groups. In case of a received group share, users should be able to unshare the file to themselves but not to the whole group. The previous API implementation did simply unshare the file to all users in the group.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-007">For more information please consult the official advisory.</a></strong></p></description>
<link>https://nextcloud.com/security/advisory/?id=nC-SA-2016-007</link>
<guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2016-007</guid>
<pubDate>Mon, 10 Oct 2016 13:21:06 +0200</pubDate>
</item><item>
<title>Server: SMB User Authentication Bypass (nC-SA-2016-006)</title>
<description><p>Nextcloud includes an optional and not by default enabled SMB authentication component that allows to authenticate users against an SMB server.</p><p>This backend is implemented in a way that it tries to connect to a SMB server and if that succeeded consider the user logged-in.</p><p>The backend did not properly take into account SMB servers that any kind of anonymous auth configured. This is the default on SMB servers nowadays and allows an unauthenticated attacker to gain access to an account without valid credentials.</p><p><strong>Note:</strong> The SMB backend is disabled by default and requires manual configuration in the Nextcloud config file. If you have not configured the SMB backend then you're not affected by this vulnerability.</p><p><em><a href="https://rhinosecuritylabs.com/2016/10/operation-ownedcloud-exploitation-post-exploitation-persistence/">The reporter has published a blog post about this issue on their website as well.</a></em></p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-006">For more information please consult the official advisory.</a></strong></p></description>
<link>https://nextcloud.com/security/advisory/?id=nC-SA-2016-006</link>
<guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2016-006</guid>
<pubDate>Mon, 10 Oct 2016 13:21:06 +0200</pubDate>
</item><item>
<title>Server: Read-only share recipient can restore old versions of file (nC-SA-2016-005)</title>
<description><p>The restore capability of Nextcloud was not verifying whether an user has only read-only access to a share. Thus an user with read-only access was able to restore old versions.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-005">For more information please consult the official advisory.</a></strong></p></description>
<link>https://nextcloud.com/security/advisory/?id=nC-SA-2016-005</link>
<guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2016-005</guid>
<pubDate>Tue, 19 Jul 2016 10:26:09 +0200</pubDate>
</item><item>
<title>Server: Edit permission check not enforced on WebDAV COPY action (nC-SA-2016-004)</title>
<description><p>The WebDAV endpoint was not properly checking the permission on a WebDAV "COPY" action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-004">For more information please consult the official advisory.</a></strong></p></description>
<link>https://nextcloud.com/security/advisory/?id=nC-SA-2016-004</link>
<guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2016-004</guid>
<pubDate>Tue, 19 Jul 2016 10:26:09 +0200</pubDate>
</item><item>
<title>Server: Content-Spoofing in "files" app (nC-SA-2016-003)</title>
<description><p>The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-003">For more information please consult the official advisory.</a></strong></p></description>
<link>https://nextcloud.com/security/advisory/?id=nC-SA-2016-003</link>
<guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2016-003</guid>
<pubDate>Tue, 19 Jul 2016 10:26:09 +0200</pubDate>
</item><item>
<title>Server: Log pollution can potentially lead to local HTML injection (nC-SA-2016-002)</title>
<description><p>The "download log" functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the browser as HTML document. Thus any injected data in the log would be executed.</p><p>While the document would only be executed locally (thus on another scope) we have decided to fix this to protect our users.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-002">For more information please consult the official advisory.</a></strong></p></description>
<link>https://nextcloud.com/security/advisory/?id=nC-SA-2016-002</link>
<guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2016-002</guid>
<pubDate>Tue, 19 Jul 2016 10:26:09 +0200</pubDate>
</item><item>
<title>Server: Stored XSS in "gallery" application (nC-SA-2016-001)</title>
<description><p>Due to a recent migration of the Gallery app to the new sharing endpoint a parameter changed from an integer to a string value. This value wasn't sanitized before and was thus now vulnerable to a Cross-Site-Scripting attack.</p><p>To exploit this vulnerability an authenticated attacker has to share a folder with someone else, get them to open the shared folder in the Gallery app and open the sharing window there.</p><p>Since Nextcloud employes a strict Content-Security-Policy this vulnerability is only exploitable in browsers not supporting Content-Security-Policy. You can check at <a href="http://caniuse.com/#feat=contentsecuritypolicy">caniuse.com</a> whether your browser supports CSP.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-001">For more information please consult the official advisory.</a></strong></p></description>
<link>https://nextcloud.com/security/advisory/?id=nC-SA-2016-001</link>
<guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2016-001</guid>
<pubDate>Tue, 19 Jul 2016 10:26:09 +0200</pubDate>
</item>
</channel>
</rss>
|
