diff options
Diffstat (limited to 'old')
113 files changed, 4082 insertions, 0 deletions
diff --git a/old/android/.gitkeep b/old/android/.gitkeep new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/old/android/.gitkeep diff --git a/old/android/nc-sa-2018-015.json b/old/android/nc-sa-2018-015.json new file mode 100644 index 0000000..4698ae3 --- /dev/null +++ b/old/android/nc-sa-2018-015.json @@ -0,0 +1,30 @@ +{ + "Title": "Improper check for access to application database", + "Timestamp": 1564128000, + "Risk": 1, + "CVSS3": { + "score": 1.8, + "vector": "AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" + }, + "CWE": { + "id": 284, + "name": "Improper Access Control" + }, + "HackerOne": 331302, + "Affected":[ + { + "Version":"3.2.0", + "CVE":"CVE-2018-3765", + "Operator":"<" + } + ], + "Description":"A too permissive check allowed an installed application that contained the Nextcloud client package name to obtain access to the database of the Nextcloud application. At time of disclosure there are no applications with in the Google Play Store that fullfill this requirement.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "NA", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that users upgrade to version 3.2.0." +} diff --git a/old/android/nc-sa-2019-004.json b/old/android/nc-sa-2019-004.json new file mode 100644 index 0000000..abc7bcd --- /dev/null +++ b/old/android/nc-sa-2019-004.json @@ -0,0 +1,32 @@ +{ + "Title": "Bypass lock protection in Android app", + "Timestamp": 1564135200, + "Risk": 1, + "CVSS3": { + "score": 5.9, + "vector": "AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" + }, + "CWE": { + "id": 288, + "name": "Authentication Bypass Using an Alternate Path or Channel" + }, + "HackerOne": 490946, + "Affected":[ + { + "Version":"3.6.1", + "CVE":"CVE-2019-5455", + "Operator":"<" + } + ], + "Description":"Creating a fake multi-account and aborting the process would redirect the user to the default account of the device without asking for the lock pattern if one was set up.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Julien Thomas", + "Company": "Protektoid.com project", + "Website": "https://twitter.com/julien_thomas", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that users upgrade to version 3.6.1." +} diff --git a/old/android/nc-sa-2019-005.json b/old/android/nc-sa-2019-005.json new file mode 100644 index 0000000..908f936 --- /dev/null +++ b/old/android/nc-sa-2019-005.json @@ -0,0 +1,29 @@ +{ + "Title": "SQL injection in Android app content provider", + "Timestamp": 1564135200, + "Risk": 1, + "CVSS3": { + "score": 2.7, + "vector": "AV:P/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L" + }, + "CWE": { + "id": 89, + "name": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + }, + "HackerOne": 291764, + "Affected":[ + { + "Version":"3.0.0", + "CVE":"CVE-2019-5454", + "Operator":"<" + } + ], + "Description":"The content provider of the app accepted arbitrary strings in the field list of the returned file list. This allowed an attacker to run harmful queries, destroying the local cache of the android app. The server data however was never in danger, so removing the account and setting it up again can fix all problems.", + "Acknowledgment":[ + { + "Name": "David Enos (bluedangerforyou)", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that users upgrade to version 3.0.0 or later." +} diff --git a/old/android/nc-sa-2019-006.json b/old/android/nc-sa-2019-006.json new file mode 100644 index 0000000..11c5df1 --- /dev/null +++ b/old/android/nc-sa-2019-006.json @@ -0,0 +1,30 @@ +{ + "Title": "Bypass lock protection in Android app", + "Timestamp": 1564135200, + "Risk": 1, + "CVSS3": { + "score": 3.2, + "vector": "AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + }, + "CWE": { + "id": 288, + "name": "Authentication Bypass Using an Alternate Path or Channel" + }, + "HackerOne": 331489, + "Affected":[ + { + "Version":"3.3.0", + "CVE":"CVE-2019-5453", + "Operator":"<" + } + ], + "Description":"If an attacker has physical access to an Android smartphone without a screen lock, but with nextcloud installed and set up, they can easily access the nextcloud-files even if the nextcloud app is locked with a fingerprint or pin.", + "Acknowledgment":[ + { + "Name": "Volker Weißmann", + "Mail": "volker.weissmann@gmx.de", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that users upgrade to version 3.3.0 or later." +} diff --git a/old/android/nc-sa-2019-007.json b/old/android/nc-sa-2019-007.json new file mode 100644 index 0000000..50ef672 --- /dev/null +++ b/old/android/nc-sa-2019-007.json @@ -0,0 +1,31 @@ +{ + "Title": "Thumbnails of files leaked via Android content provider", + "Timestamp": 1564135200, + "Risk": 1, + "CVSS3": { + "score": 4.3, + "vector": "AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" + }, + "CWE": { + "id": 284, + "name": "Improper Access Control" + }, + "HackerOne": 534541, + "Affected":[ + { + "Version":"3.6.2", + "CVE":"CVE-2019-5452", + "Operator":"<" + } + ], + "Description":"If an attacker has physical access to an Android smartphone without a screen lock, but with nextcloud installed and set up, he can easily access the nextcloud-files even if the nextcloud app is locked with a fingerprint or pin.", + "Acknowledgment":[ + { + "Name": "Julien Thomas", + "Company": "Protektoid.com project", + "Website": "https://twitter.com/julien_thomas", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that users upgrade to version 3.6.2." +} diff --git a/old/android/nc-sa-2019-008.json b/old/android/nc-sa-2019-008.json new file mode 100644 index 0000000..b2de6cf --- /dev/null +++ b/old/android/nc-sa-2019-008.json @@ -0,0 +1,29 @@ +{ + "Title": "Bypass lock protection in Android app", + "Timestamp": 1564135200, + "Risk": 1, + "CVSS3": { + "score": 5.9, + "vector": "AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" + }, + "CWE": { + "id": 288, + "name": "Authentication Bypass Using an Alternate Path or Channel" + }, + "HackerOne": 507172, + "Affected":[ + { + "Version":"3.6.1", + "CVE":"CVE-2019-5451", + "Operator":"<" + } + ], + "Description":"If an attacker has physical access to an Android smartphone without a screen lock, but with nextcloud installed and set up, they can circumvent the passcode protection by repeatedly opening and closing the app in a very short time.", + "Acknowledgment":[ + { + "Name": "Mathijs van Veluw", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that users upgrade to version 3.6.1 or later." +} diff --git a/old/android/nc-sa-2019-009.json b/old/android/nc-sa-2019-009.json new file mode 100644 index 0000000..7ce1aa1 --- /dev/null +++ b/old/android/nc-sa-2019-009.json @@ -0,0 +1,30 @@ +{ + "Title": "Improper sanitization of HTML in directory names", + "Timestamp": 1564135200, + "Risk": 1, + "CVSS3": { + "score": 0.0, + "vector": "AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:N" + }, + "CWE": { + "id": 80, + "name": "Improper Neutralization of Script-Related HTML Tags in a Web Page" + }, + "HackerOne": 631227, + "Affected":[ + { + "Version":"3.7.0", + "CVE":"CVE-2019-5450", + "Operator":"<" + } + ], + "Description":"Some basic HTML tags were rendered as Markup in directory names.", + "Acknowledgment":[ + { + "Name": "Christian Angel", + "Website": "https://www.facebook.com/ian.phtml", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that users upgrade to version 3.7.0 or later." +} diff --git a/old/android/nc-sa-2019-011.json b/old/android/nc-sa-2019-011.json new file mode 100644 index 0000000..75b117a --- /dev/null +++ b/old/android/nc-sa-2019-011.json @@ -0,0 +1,31 @@ +{ + "Title": "Query restriction bypass on exposed FileContentProvider in Android app", + "Timestamp": 1564135200, + "Risk": 1, + "CVSS3": { + "score": 2.7, + "vector": "AV:P/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L" + }, + "CWE": { + "id": 89, + "name": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + }, + "HackerOne": 518669, + "Affected":[ + { + "Version":"3.6.1", + "CVE":"CVE-2019-15622", + "Operator":"<" + } + ], + "Description":"Not strictly enough sanitization allowed an attacker to get content information from protected tables when using custom queries.", + "Acknowledgment":[ + { + "Name": "Julien Thomas", + "Company": "Protektoid.com project", + "Website": "https://twitter.com/julien_thomas", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that users upgrade to version 3.6.1 or later." +} diff --git a/old/android/nc-sa-2020-004.json b/old/android/nc-sa-2020-004.json new file mode 100644 index 0000000..de89f67 --- /dev/null +++ b/old/android/nc-sa-2020-004.json @@ -0,0 +1,32 @@ +{ + "Title": "Bypass lock protection in Android app", + "Timestamp": 1575504000, + "Risk": 1, + "CVSS3": { + "score": 5.9, + "vector": "AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" + }, + "CWE": { + "id": 288, + "name": "Authentication Bypass Using an Alternate Path or Channel" + }, + "HackerOne": 747726, + "Affected":[ + { + "Version":"3.9.1", + "CVE":"CVE-2019-15615", + "Operator":"<" + } + ], + "Description":"A wrong check for the system time in the Android App 3.9.0 causes a bypass of the lock protection when changing the time of the system to the past.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Arvind", + "Mail": "ar-arvind@protonmail.com", + "Website": "https://www.facebook.com/1808arvind", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Android App is upgraded to 3.9.1." +} diff --git a/old/calendar/nc-sa-2018-004.json b/old/calendar/nc-sa-2018-004.json new file mode 100644 index 0000000..6d24f79 --- /dev/null +++ b/old/calendar/nc-sa-2018-004.json @@ -0,0 +1,34 @@ +{ + "Title": "Stored XSS in calendar via group shares", + "Timestamp": 1529582400, + "Risk": 1, + "CVSS3": { + "score": 3.5, + "vector": "AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N" + }, + "CWE": { + "id": 79, + "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + }, + "Affected":[ + { + "Version":"1.6.1", + "CVE":"CVE-2018-3763", + "Operator":"<" + }, + { + "Version":"1.5.8", + "CVE":"CVE-2018-3763", + "Operator":"<" + } + ], + "Description":"A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "An anonymous hacker", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the calendar app is upgraded to 1.6.1." +} diff --git a/old/circles/nc-sa-2019-013.json b/old/circles/nc-sa-2019-013.json new file mode 100644 index 0000000..9ee1689 --- /dev/null +++ b/old/circles/nc-sa-2019-013.json @@ -0,0 +1,35 @@ +{ + "Title": "Removing emails from circles does not revoke access to shared items", + "Timestamp": 1570363200, + "Risk": 1, + "CVSS3": { + "score": 2.0, + "vector": "AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" + }, + "CWE": { + "id": 285, + "name": "Improper Authorization" + }, + "HackerOne": 673724, + "Affected":[ + { + "Version":"0.17.8", + "CVE":"CVE-2019-15610", + "Operator":"<" + }, + { + "Version":"0.16.11", + "CVE":"CVE-2019-15610", + "Operator":"<" + } + ], + "Description":"Improper authorization in the Circles app 0.17.7 causes retaining access when an email address was removed from a circle.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "michag86", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Circles app is upgraded to 0.17.8." +} diff --git a/old/contacts/nc-sa-2018-005.json b/old/contacts/nc-sa-2018-005.json new file mode 100644 index 0000000..74f9a05 --- /dev/null +++ b/old/contacts/nc-sa-2018-005.json @@ -0,0 +1,29 @@ +{ + "Title": "Stored XSS in contacts via group shares", + "Timestamp": 1529582400, + "Risk": 1, + "CVSS3": { + "score": 3.5, + "vector": "AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N" + }, + "CWE": { + "id": 79, + "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + }, + "Affected":[ + { + "Version":"2.1.2", + "CVE":"CVE-2018-3764", + "Operator":"<" + } + ], + "Description":"A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "An anonymous hacker", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the contacts app is upgraded to 2.1.2." +} diff --git a/old/contacts/nc-sa-2020-024.json b/old/contacts/nc-sa-2020-024.json new file mode 100644 index 0000000..62a16c2 --- /dev/null +++ b/old/contacts/nc-sa-2020-024.json @@ -0,0 +1,30 @@ +{ + "Title": "Limit contacts photo uploading to images", + "Timestamp": 1587038400, + "Risk": 1, + "CVSS3": { + "score": 2.6, + "vector": "AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" + }, + "CWE": { + "id": 840, + "name": "Business Logic Errors" + }, + "HackerOne": 808287, + "Affected":[ + { + "Version":"3.3.0", + "CVE":"CVE-2020-8181", + "Operator":"<" + } + ], + "Description":"A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Tommy Suriel", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Contacts is upgraded to 3.3.0." +} diff --git a/old/contacts/nc-sa-2020-044.json b/old/contacts/nc-sa-2020-044.json new file mode 100644 index 0000000..7eacb42 --- /dev/null +++ b/old/contacts/nc-sa-2020-044.json @@ -0,0 +1,30 @@ +{ + "Title": "XSS through image upload on contacts using svg file with png extension", + "Timestamp": 1603195200, + "Risk": 1, + "CVSS3": { + "score": 5.5, + "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L" + }, + "CWE": { + "id": 79, + "name": "Cross-site Scripting (XSS) - Stored" + }, + "HackerOne": 998422, + "Affected":[ + { + "Version":"3.4.1", + "CVE":"CVE-2020-8280", + "Operator":"<" + } + ], + "Description":"A missing file type check in Nextcloud Contacts 3.4.0 allowed a malicious user to upload SVG files as PNG files to perform XSS attacks.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Tommy Suriel", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Contacts is upgraded to 3.4.1." +} diff --git a/old/contacts/nc-sa-2020-045.json b/old/contacts/nc-sa-2020-045.json new file mode 100644 index 0000000..bc13ea2 --- /dev/null +++ b/old/contacts/nc-sa-2020-045.json @@ -0,0 +1,30 @@ +{ + "Title": "XSS through image upload of contacts using svg file", + "Timestamp": 1603195200, + "Risk": 1, + "CVSS3": { + "score": 5.5, + "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L" + }, + "CWE": { + "id": 79, + "name": "Cross-site Scripting (XSS) - Stored" + }, + "HackerOne": 894876, + "Affected":[ + { + "Version":"3.4.0", + "CVE":"CVE-2020-8281", + "Operator":"<" + } + ], + "Description":"A missing file type check in Nextcloud Contacts 3.3.0 allowed a malicious user to upload malicious SVG files to perform XSS attacks.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Tommy Suriel", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Contacts is upgraded to 3.4.0." +} diff --git a/old/deck/nc-sa-2020-010.json b/old/deck/nc-sa-2020-010.json new file mode 100644 index 0000000..b4936b1 --- /dev/null +++ b/old/deck/nc-sa-2020-010.json @@ -0,0 +1,31 @@ +{ + "Title": "Improper neutralization of item names in projects feature", + "Timestamp": 1564358400, + "Risk": 1, + "CVSS3": { + "score": 2.0, + "vector": "AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N" + }, + "CWE": { + "id": 79, + "name": "Improper Neutralization of Input During Web Page Generation" + }, + "HackerOne": 662204, + "Affected":[ + { + "Version":"0.6.6", + "CVE":"CVE-2019-15619", + "Operator":"<" + } + ], + "Description":"Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Tim Coen", + "Website": "https://security-consulting.icu/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Deck is upgraded to 0.6.6." +} diff --git a/old/deck/nc-sa-2020-022.json b/old/deck/nc-sa-2020-022.json new file mode 100644 index 0000000..9cbf29c --- /dev/null +++ b/old/deck/nc-sa-2020-022.json @@ -0,0 +1,32 @@ +{ + "Title": "Improper access control allows injecting tasks into other users decks", + "Timestamp": 1589544000, + "Risk": 1, + "CVSS3": { + "score": 4.1, + "vector": "AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N" + }, + "CWE": { + "id": 284, + "name": "Improper Access Control - Generic" + }, + "HackerOne": 867052, + "Affected":[ + { + "Version":"1.0.1", + "CVE":"CVE-2020-8179", + "Operator":"<" + } + ], + "Description":"Improper access control in Nextcloud Deck 1.0.0 allowed an attacker to inject tasks into other users decks.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Remco Sprooten", + "Company": "Sector52", + "Mail": "remco@sector52.nl", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Deck is upgraded to 1.0.1." +} diff --git a/old/deck/nc-sa-2020-025.json b/old/deck/nc-sa-2020-025.json new file mode 100644 index 0000000..54a051f --- /dev/null +++ b/old/deck/nc-sa-2020-025.json @@ -0,0 +1,33 @@ +{ + "Title": "Missing permission check on resharing a board", + "Timestamp": 1586347200, + "Risk": 1, + "CVSS3": { + "score": 7.3, + "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H" + }, + "CWE": { + "id": 284, + "name": "Improper Access Control - Generic" + }, + "HackerOne": 827816, + "Affected":[ + { + "Version":"0.8.1", + "CVE":"CVE-2020-8182", + "Operator":"<" + } + ], + "Description":"Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permissions than they had themselves.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Silvia Väli", + "Company": "Clarified Security", + "Mail": "silvia@clarifiedsecurity.com", + "Website": "https://www.clarifiedsecurity.com/silvia-vali/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Deck is upgraded to 0.8.1." +} diff --git a/old/deck/nc-sa-2020-036.json b/old/deck/nc-sa-2020-036.json new file mode 100644 index 0000000..8b2ffdd --- /dev/null +++ b/old/deck/nc-sa-2020-036.json @@ -0,0 +1,30 @@ +{ + "Title": "Access control missing while viewing the attachments in the 'All boards'", + "Timestamp": 1594814400, + "Risk": 1, + "CVSS3": { + "score": 6.5, + "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "CWE": { + "id": 639, + "name": "Insecure Direct Object Reference (IDOR)" + }, + "HackerOne": 916704, + "Affected":[ + { + "Version":"1.0.5", + "CVE":"CVE-2020-8235", + "Operator":"<" + } + ], + "Description":"Missing access control in Nextcloud Deck 1.0.4 caused an insecure direct object reference allowing an attacker to view all attachments.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Divyesh Prajapati", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Deck is upgraded to 1.0.5." +} diff --git a/old/deck/nc-sa-2021-007.json b/old/deck/nc-sa-2021-007.json new file mode 100644 index 0000000..c95d9d1 --- /dev/null +++ b/old/deck/nc-sa-2021-007.json @@ -0,0 +1,33 @@ +{ + "Title": "New users can read all Nextcloud Deck data from previous user with same username", + "Timestamp": 1591178400, + "Risk": 1, + "CVSS3": { + "score": 5.1, + "vector": "AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L" + }, + "CWE": { + "id": 639, + "name": "Insecure Direct Object Reference (IDOR)" + }, + "HackerOne": 882258, + "Affected":[ + { + "Version":"1.0.2", + "CVE":"CVE-2020-8297", + "Operator":"<" + } + ], + "Description":"A logic error in Nextcloud Deck 1.0.1 allowed new users with a duplicate user identifier to use deck data of a previous deleted user.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Stefan Niedermann", + "Mail": "info@niedermann.it", + "Website": "https://www.niedermann.it", + "Company": "Niedermann IT-Dienstleistungen", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Deck is upgraded to 1.0.2." +} diff --git a/old/desktop/.gitkeep b/old/desktop/.gitkeep new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/old/desktop/.gitkeep diff --git a/old/desktop/nc-sa-2020-016.json b/old/desktop/nc-sa-2020-016.json new file mode 100644 index 0000000..2b1e1c5 --- /dev/null +++ b/old/desktop/nc-sa-2020-016.json @@ -0,0 +1,31 @@ +{ + "Title": "Code injection in Nextcloud Desktop Client for macOS", + "Timestamp": 1581897600, + "Risk": 1, + "CVSS3": { + "score": 3.8, + "vector": "AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" + }, + "CWE": { + "id": 94, + "name": "Improper Control of Generation of Code (Code Injection)" + }, + "HackerOne": 633266, + "Affected":[ + { + "Version":"2.6.3", + "CVE":"CVE-2020-8140", + "Operator":"<" + } + ], + "Description":"A code injection in Nextcloud Desktop Client 2.6.2 for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Wojciech Reguła", + "Website": "https://wojciechregula.blog/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Desktop Client is upgraded to 2.6.3." +} diff --git a/old/desktop/nc-sa-2020-027.json b/old/desktop/nc-sa-2020-027.json new file mode 100644 index 0000000..676665e --- /dev/null +++ b/old/desktop/nc-sa-2020-027.json @@ -0,0 +1,30 @@ +{ + "Title": "XSS in desktop client via invalid server address on login form", + "Timestamp": 1594382400, + "Risk": 1, + "CVSS3": { + "score": 4.7, + "vector": "AV:P/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + }, + "CWE": { + "id": 79, + "name": "Cross-site Scripting (XSS) - Generic" + }, + "HackerOne": 685552, + "Affected":[ + { + "Version":"2.6.5", + "CVE":"CVE-2020-8189", + "Operator":"<" + } + ], + "Description":"A cross-site scripting error in Nextcloud Desktop client 2.6.4 allowed to present any html (including local links) when responding with invalid data on the login attempt.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Juan Pablo Lopez Yacubian", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Desktop client is upgraded to 2.6.5." +} diff --git a/old/desktop/nc-sa-2020-030.json b/old/desktop/nc-sa-2020-030.json new file mode 100644 index 0000000..1d19303 --- /dev/null +++ b/old/desktop/nc-sa-2020-030.json @@ -0,0 +1,31 @@ +{ + "Title": "Arbitrary code execution in desktop client via OpenSSL config", + "Timestamp": 1594382400, + "Risk": 1, + "CVSS3": { + "score": 4.8, + "vector": "AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L" + }, + "CWE": { + "id": 94, + "name": "Improper Control of Generation of Code (Code Injection)" + }, + "HackerOne": 622170, + "Affected":[ + { + "Version":"2.6.5", + "CVE":"CVE-2020-8224", + "Operator":"<" + } + ], + "Description":"A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL config into a fixed directory.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Nick Marcoccio", + "Website": "https://twitter.com/1oopho1e", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Desktop Client is upgraded to 2.6.5." +} diff --git a/old/desktop/nc-sa-2020-031.json b/old/desktop/nc-sa-2020-031.json new file mode 100644 index 0000000..ffcd7cf --- /dev/null +++ b/old/desktop/nc-sa-2020-031.json @@ -0,0 +1,31 @@ +{ + "Title": "Clear text storage of proxy parameters and passwords", + "Timestamp": 1594382400, + "Risk": 1, + "CVSS3": { + "score": 5.7, + "vector": "AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + }, + "CWE": { + "id": 312, + "name": "Cleartext Storage of Sensitive Information" + }, + "HackerOne": 685990, + "Affected":[ + { + "Version":"2.6.5", + "CVE":"CVE-2020-8225", + "Operator":"<" + } + ], + "Description":"A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Rbcafe", + "Website": "https://www.rbcafe.com/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Desktop Client is upgraded to 2.6.5." +} diff --git a/old/desktop/nc-sa-2020-032.json b/old/desktop/nc-sa-2020-032.json new file mode 100644 index 0000000..744a11a --- /dev/null +++ b/old/desktop/nc-sa-2020-032.json @@ -0,0 +1,30 @@ +{ + "Title": "Linux client is vulnerable to directory traversal when downloading files", + "Timestamp": 1594382400, + "Risk": 1, + "CVSS3": { + "score": 5.1, + "vector": "AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L" + }, + "CWE": { + "id": 22, + "name": "Path Traversal" + }, + "HackerOne": 590319, + "Affected":[ + { + "Version":"2.6.5", + "CVE":"CVE-2020-8227", + "Operator":"<" + } + ], + "Description":"Missing sanitization of a server response in Nextcloud Desktop Client 2.6.4 for Linux allowed a malicious Nextcloud Server to store files outside of the dedicated sync directory.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Carl Pearson", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Desktop Client is upgraded to 2.6.5." +} diff --git a/old/desktop/nc-sa-2020-034.json b/old/desktop/nc-sa-2020-034.json new file mode 100644 index 0000000..18b314c --- /dev/null +++ b/old/desktop/nc-sa-2020-034.json @@ -0,0 +1,32 @@ +{ + "Title": "Memory Leak in OCUtil.dll library in Desktop client can lead to DoS", + "Timestamp": 1594382400, + "Risk": 1, + "CVSS3": { + "score": 5.9, + "vector": "AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H" + }, + "CWE": { + "id": 400, + "name": "Denial of Service" + }, + "HackerOne": 588562, + "Affected":[ + { + "Version":"2.6.5", + "CVE":"CVE-2020-8229", + "Operator":"<" + } + ], + "Description":"A memory leak in the OCUtil.dll library used by Nextcloud Desktop Client 2.6.4 can lead to a DoS against the host system.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Cosmin Craciun", + "Mail": "cwaverst@gmail.com", + "Company": "Finastra", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Desktop Client is upgraded to 2.6.5." +} diff --git a/old/desktop/nc-sa-2020-035.json b/old/desktop/nc-sa-2020-035.json new file mode 100644 index 0000000..4117210 --- /dev/null +++ b/old/desktop/nc-sa-2020-035.json @@ -0,0 +1,31 @@ +{ + "Title": "Missing memory corruption protection on Windows release built", + "Timestamp": 1594382400, + "Risk": 1, + "CVSS3": { + "score": 4.7, + "vector": "AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" + }, + "CWE": { + "id": 119, + "name": "Memory Corruption - Generic" + }, + "HackerOne": 380102, + "Affected":[ + { + "Version":"2.6.5", + "CVE":"CVE-2020-8230", + "Operator":"<" + } + ], + "Description":"Missing ASLR and DEP protections in Nextcloud Desktop Client 2.6.4 for windows allowed to corrupt memory.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "René Freingruber", + "Website": "https://www.sec-consult.com", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Desktop Client is upgraded to 2.6.5." +} diff --git a/old/desktop/nc-sa-2021-008.json b/old/desktop/nc-sa-2021-008.json new file mode 100644 index 0000000..5d8b56f --- /dev/null +++ b/old/desktop/nc-sa-2021-008.json @@ -0,0 +1,32 @@ +{ + "Title": "Missing URL validation allowed RCE for the server on the Desktop client", + "Timestamp": 1614164400, + "Risk": 1, + "CVSS3": { + "score": 4.7, + "vector": "AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L" + }, + "CWE": { + "id": 99, + "name": "Resource Injection" + }, + "HackerOne": 1078002, + "Affected":[ + { + "Version":"3.1.3", + "CVE":"CVE-2021-22879", + "Operator":"<" + } + ], + "Description":"Missing validation of URLs in Nextcloud Desktop Client 3.1.2 and earlier allowed a malicious server to execute code on the client. User interaction was required.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Fabian Bräunlein", + "Company": "Positive Security", + "Website": "https://positive.security", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Desktop Client is upgraded to 3.1.3." +} diff --git a/old/generator/generate.php b/old/generator/generate.php new file mode 100644 index 0000000..a6ccebb --- /dev/null +++ b/old/generator/generate.php @@ -0,0 +1,273 @@ +<?php +/** + * @author Lukas Reschke <lukas@owncloud.com> + * @author Tom Needham <tom@owncloud.com> + * + * @copyright Copyright (c) 2015, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +date_default_timezone_set('Europe/Berlin'); +$components = [ + 'server' => 'Server', + 'desktop' => 'Desktop Client', + 'android' => 'Android App', + 'ios' => 'iOS App', + 'calendar' => 'Calendar App', + 'circles' => 'Circles App', + 'contacts' => 'Contacts App', + 'deck' => 'Deck App', + 'groupfolders' => 'Groupfolders App', + 'mail' => 'Mail App', + 'social' => 'Social App', + 'talk' => 'Talk App', + 'preferred_providers' => 'Preferred providers', + 'lookup-server' => 'Lookup server', +]; +$allBugs = []; + +$dir = new DirectoryIterator(__DIR__ . '/out'); +foreach ($dir as $fileinfo) { + if ($fileinfo->isDot() || $fileinfo->getFilename() === '.gitkeep') { + continue; + } + + unlink($fileinfo->getRealPath()); +} + +foreach($components as $component => $componentName) { + echo "… Iterating $component …\n"; + $componentBugs = []; + + $dir = new DirectoryIterator(__DIR__ . '/../old/' . $component); + foreach ($dir as $fileinfo) { + if (!$fileinfo->isDot() && $fileinfo->getFilename() !== '.gitkeep') { + echo "Processing $fileinfo \n"; + + $content = file_get_contents('./template.php'); + $advisory = json_decode(file_get_contents($fileinfo->getRealPath()), true); + + $content = str_replace( + ['~~TITLE~~', '~~IDENTIFIER~~', '~~DATE~~'], + [$advisory['Title'], str_replace('nc-sa', 'NC-SA', substr($fileinfo, 0, -5)), date('jS F o', $advisory['Timestamp'])], + $content + ); + + $risk = $advisory['Risk']; + switch ($risk) { + case 1: + $risk = 'Low'; + break; + case 2: + $risk = 'Medium'; + break; + case 3: + $risk = 'High'; + break; + + } + $content = str_replace('~~LEVEL~~', $risk, $content); + + $cwe = ''; + if(isset($advisory['CWE'])) { + $cwe = sprintf("<p>CWE: <a href=\"https://cwe.mitre.org/data/definitions/%s.html\">%s (CWE-%s)</a></p>", $advisory['CWE']['id'], $advisory['CWE']['name'], $advisory['CWE']['id']); + + } + $content = str_replace('~~CWE~~', $cwe, $content); + + $hackerOne = ''; + if(isset($advisory['HackerOne'])) { + $hackerOne = '<p>HackerOne report: <a href="https://hackerone.com/reports/'.$advisory['HackerOne'].'">'.$advisory['HackerOne'] .'</a></p>'; + + } + $content = str_replace('~~HackerOne~~', $hackerOne, $content); + + $cvss = ''; + if(isset($advisory['CVSS2'])) { + $cvss = '<p>CVSS v2 Base Score: '.$advisory['CVSS2']['score'].' (<a href="https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=('.$advisory['CVSS2']['vector'].')">'.$advisory['CVSS2']['vector'].'</a>)</p>'; + } + if(isset($advisory['CVSS3'])) { + $cvss = '<p>CVSS v3 Base Score: '.$advisory['CVSS3']['score'].' (<a href="https://www.first.org/cvss/calculator/3.0#CVSS:3.0/'.$advisory['CVSS3']['vector'].'">'.$advisory['CVSS3']['vector'].'</a>)</p>'; + } + $content = str_replace( + ['~~CVSS~~', '~~DESCRIPTION~~'], + [$cvss, $advisory['Description']], + $content + ); + + $affectedVersions = ''; + foreach($advisory['Affected'] as $affected) { + $operator = isset($affected['Operator']) ? $affected['Operator'] . ' ' : ''; + $affectedVersions .= sprintf("<li>Nextcloud %s %s<strong>%s</strong> (%s)</li>\n", ucfirst($component), htmlentities($operator), $affected['Version'], $affected['CVE']); + if(isset($affected['Commits'])) { + $affectedVersions .= "<ul>\n"; + $commitsToList = count($affected['Commits']); + foreach($affected['Commits'] as $commit) { + [$repository, $commit] = explode('/', $commit); + $affectedVersions .= sprintf("<li><a href=\"https://github.com/nextcloud/%s/commit/%s\">%s/%s</a></li>\n", $repository, $commit, $repository, $commit); + } + $affectedVersions .= "</ul>\n"; + } + $componentBugs[$affected['Version']][substr($fileinfo, 0, -5)] = $advisory['Title']; + } + $content = str_replace('~~AFFECTEDVERSIONS~~', $affectedVersions, $content); + + $actionTaken = $advisory['ActionTaken'] ?? 'The error has been fixed.'; + $resolution = $advisory['Resolution'] ?? ''; + $content = str_replace( + ['~~ACTION~~', '~~RESOLUTION~~'], + [$actionTaken, $resolution], + $content + ); + + $acknowledgments = ''; + if (isset($advisory['Acknowledgment'])) { + foreach ($advisory['Acknowledgment'] as $acknowledgment) { + $company = $acknowledgment['Company'] ?? ''; + $mail = $acknowledgment['Mail'] ?? ''; + $reason = $acknowledgment['Reason'] ?? ''; + $website = $acknowledgment['Website'] ?? ''; + $acknowledgments .= '<li>'; + if ($website) { + $acknowledgments .= '<a href="'.$website.'" target="_blank" rel="noreferrer">'; + } + $acknowledgments .= $acknowledgment['Name']; + if ($company !== '') { + $acknowledgments .= ' - '.$company; + } + if ($mail !== '') { + $acknowledgments .= ' ('.$mail.')'; + } + $acknowledgments .= ' - '.$reason; + if ($website) { + $acknowledgments .= '</a>'; + } + $acknowledgments .= '</li>'; + } + } + $content = str_replace('~~ACKNOWLEDGMENTS~~', $acknowledgments, $content); + + if (file_exists('./out/' . substr($fileinfo, 0, -5) . '.php')) { + throw new Exception('Duplicate identifier: ' . substr($fileinfo, 0, -5)); + } + file_put_contents('./out/' . substr($fileinfo, 0, -5) . '.php', $content); + + echo "Finished $fileinfo\n"; + } + } + + // Create complete overview list + uksort($componentBugs, 'version_compare'); + $componentBugs = array_reverse($componentBugs); + + $allBugs[$component] = $componentBugs; +} + +// Create RSS feed & overview page +$identifiersDone = []; +$rssEntries = []; +$listEntries = []; +$rss = '<?xml version="1.0" encoding="UTF-8" ?> +<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"> +<channel> + <title>Nextcloud Security Advisories RSS Feed</title> + <link>https://nextcloud.com/security/advisories/</link> + <description>The Nextcloud security advisories as a RSS feed</description> + <ttl>1800</ttl>'; +foreach ($allBugs as $category => $list) { + foreach ($list as $advisories) { + foreach ($advisories as $identifier => $title) { + if (!isset($identifiersDone[$identifier])) { + $identifiersDone[$identifier] = 'true'; + $advisoryContent = json_decode(file_get_contents(__DIR__ . '/../old/' . strtolower($category) . '/' . $identifier . '.json'), true); + if (!isset($components[strtolower($category)])) { + throw new Exception('Unknown category: ' . $category); + } + $categoryText = $components[strtolower($category)]; + $identifier = str_replace('c-sa', 'C-SA', substr($identifier, 0)); + $description = htmlentities($advisoryContent['Description'] . '<br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=' . $identifier . '">For more information please consult the official advisory.</a></strong></p>'); + $originalTitle = $title; + $title = htmlentities($categoryText . ': ' . $title . ' (' . ucfirst($identifier) . ')'); + $date = date('r', $advisoryContent['Timestamp']); + $rssEntry = "<item> + <title>$title</title> + <description>$description</description> + <link>https://nextcloud.com/security/advisory/?id=$identifier</link> + <guid isPermaLink=\"true\">https://nextcloud.com/security/advisory/?id=$identifier</guid> + <pubDate>$date</pubDate> + </item>"; + $rssEntries[$identifier] = $rssEntry; + + $identifier = ucfirst($identifier); + // overview page + foreach ($advisoryContent['Affected'] as $key => $value) { + if ($categoryText === 'Server') { + $categoryText = 'Nextcloud Server'; + } + $version = $value['Version']; + $dateTime = date('Y-m-d', $advisoryContent['Timestamp']); + $listEntry = "<li><a href=\"/security/advisory/?id=$identifier\">" . htmlentities($originalTitle) . " ($identifier)</a> $dateTime</li>"; + + $year = substr($identifier, 6, 4); + $listId = $categoryText . ' ' . $version; + if (!isset($listEntries[$year])) { + $listEntries[$year] = []; + } + if (!isset($listEntries[$year][$dateTime])) { + $listEntries[$year][$dateTime] = []; + } + if (!isset($listEntries[$year][$dateTime][$listId])) { + $listEntries[$year][$dateTime][$listId] = []; + } + $listEntries[$year][$dateTime][$listId][] = $listEntry; + rsort($listEntries[$year][$dateTime][$listId]); + } + } + } + } +} +ksort($rssEntries); +$rssEntries = array_reverse($rssEntries); +foreach($rssEntries as $entry) { + $rss.=$entry; +} +$rss .= ' +</channel> +</rss>'; + +file_put_contents('./out/advisories.rss', $rss); +echo "Created RSS feed\n"; + +$fullList = ''; + +foreach ($listEntries as $year => $dateList) { + + $fullList .= "<hr>\n\n"; + $fullList .= "<h2>$year</h2>\n\n"; + + krsort($dateList); // sort descending by date + foreach ($dateList as $key => $sublist) { + foreach ($sublist as $title => $entries) { + $fullList .= "<h3>$title</h3>\n<ul>\n\t"; + $fullList .= implode("\n\t", $entries); + $fullList .= "\n</ul>\n\n"; + } + } +} + +file_put_contents('./out/full-list.php', $fullList); +echo "Created full list\n"; + diff --git a/old/generator/template.php b/old/generator/template.php new file mode 100644 index 0000000..6689b92 --- /dev/null +++ b/old/generator/template.php @@ -0,0 +1,33 @@ +<div class="row page-content-header"> +<div class="col-md-12"> + <h1>Security Advisory</h1> + <a href="/security/advisories/">Back to advisories</a> +</div> +</div> +<div class="row"> + <div class="col-md-12"> + <h2>~~TITLE~~ (~~IDENTIFIER~~)</h2> + <p>~~DATE~~</p> + <p>Risk level: <strong>~~LEVEL~~</strong></p> + ~~CVSS~~ + ~~CWE~~ + ~~HackerOne~~ + <h3>Description</h3> + <p>~~DESCRIPTION~~</p> + <h3>Affected Software</h3> + <ul> + ~~AFFECTEDVERSIONS~~ + </ul> + <h3>Action Taken</h3> + <p>~~ACTION~~</p> + <h3>Resolution</h3> + <p>~~RESOLUTION~~</p> + <h3>Acknowledgements</h3> + <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> + <ul> + ~~ACKNOWLEDGMENTS~~ + </ul> + <br/> + <small style="color:grey">This advisory is licensed <a href="https://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA 4.0</a>.</small> + </div> +</div> diff --git a/old/groupfolders/nc-sa-2020-017.json b/old/groupfolders/nc-sa-2020-017.json new file mode 100644 index 0000000..bbdfbd6 --- /dev/null +++ b/old/groupfolders/nc-sa-2020-017.json @@ -0,0 +1,30 @@ +{ + "Title": "Renaming an item to a protected hidden folder deletes the target", + "Timestamp": 1563192000, + "Risk": 1, + "CVSS3": { + "score": 6.8, + "vector": "AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H" + }, + "CWE": { + "id": 284, + "name": "Improper Access Control - Generic" + }, + "HackerOne": 642515, + "Affected":[ + { + "Version":"4.0.4", + "CVE":"CVE-2020-8153", + "Operator":"<" + } + ], + "Description":"Improper access control in Groupfolders app 4.0.3 allowed to delete hidden directories when when renaming an accessible item to the same name.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Francesco MORO(sinotto)", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Groupfolders app is upgraded to 4.0.4." +} diff --git a/old/ios/nc-sa-2019-017.json b/old/ios/nc-sa-2019-017.json new file mode 100644 index 0000000..3748105 --- /dev/null +++ b/old/ios/nc-sa-2019-017.json @@ -0,0 +1,31 @@ +{ + "Title": "Login and token disclosure to other Nextcloud services", + "Timestamp": 1573560000, + "Risk": 1, + "CVSS3": { + "score": 5.9, + "vector": "AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" + }, + "CWE": { + "id": 657, + "name": "Violation of Secure Design Principles" + }, + "HackerOne": 672623, + "Affected":[ + { + "Version":"2.24.0", + "CVE":"CVE-2019-15611", + "Operator":"<" + } + ], + "Description":"Violation of Secure Design Principles in the iOS App 2.23.0 causes the app to leak its login and token to other Nextcloud services when search e.g. for federated users or registering for push notifications.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Jannik Großkopf", + "Company": "Telekom Security", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the iOS App is upgraded to 2.24.0." +} diff --git a/old/ios/nc-sa-2020-003.json b/old/ios/nc-sa-2020-003.json new file mode 100644 index 0000000..3c0209d --- /dev/null +++ b/old/ios/nc-sa-2020-003.json @@ -0,0 +1,36 @@ +{ + "Title": "Missing sanitization in iOS App allows XSS", + "Timestamp": 1574208000, + "Risk": 1, + "CVSS3": { + "score": 3.5, + "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N" + }, + "CWE": { + "id": 116, + "name": "Improper Encoding or Escaping of Output" + }, + "HackerOne": 575562, + "Affected":[ + { + "Version":"2.25.0", + "CVE":"CVE-2019-15614", + "Operator":"<" + } + ], + "Description":"Missing sanitization in the iOS App 2.24.4 causes an XSS when opening malicious HTML files.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "noobsec", + "Mail": "root@noobsec.org", + "Website": "https://noobsec.org", + "Reason": "Vulnerability discovery and disclosure." + }, + { + "Name": "Wannarat C. / MisterHuntz", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the iOS App is upgraded to 2.25.0." +} diff --git a/old/lookup-server/nc-sa-2019-010.json b/old/lookup-server/nc-sa-2019-010.json new file mode 100644 index 0000000..34fedfc --- /dev/null +++ b/old/lookup-server/nc-sa-2019-010.json @@ -0,0 +1,31 @@ +{ + "Title": "SQL Injection in lookup-server", + "Timestamp": 1564135200, + "Risk": 1, + "CVSS3": { + "score": 10, + "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N" + }, + "CWE": { + "id": 89, + "name": "SQL Injection" + }, + "HackerOne": 508487, + "Affected":[ + { + "Version":"0.3.0", + "CVE":"CVE-2019-5476", + "Operator":"<" + } + ], + "Description":"Improper sanitation of user input allowed any unauthenticated user to perform SQL injection attacks.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Leon Klingele", + "Mail": "security@leonklingele.de", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to at least version 0.3.0." +} diff --git a/old/mail/nc-sa-2020-020.json b/old/mail/nc-sa-2020-020.json new file mode 100644 index 0000000..6c22ebc --- /dev/null +++ b/old/mail/nc-sa-2020-020.json @@ -0,0 +1,31 @@ +{ + "Title": "Mail app not verifying TLS host of mail servers", + "Timestamp": 1585051200, + "Risk": 1, + "CVSS3": { + "score": 5.9, + "vector": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L" + }, + "CWE": { + "id": 295, + "name": "Improper Certificate Validation" + }, + "HackerOne": 803734, + "Affected":[ + { + "Version":"1.1.4", + "CVE":"CVE-2020-8156", + "Operator":"<" + } + ], + "Description":"A missing verification of the TLS host in Nextcloud Mail 1.1.3 allowed a man in the middle attack.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Frank Isemann", + "Mail": "frank@isemann.name", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Mail app is upgraded to 1.1.4." +} diff --git a/old/preferred_providers/nc-sa-2020-028.json b/old/preferred_providers/nc-sa-2020-028.json new file mode 100644 index 0000000..51ec1d7 --- /dev/null +++ b/old/preferred_providers/nc-sa-2020-028.json @@ -0,0 +1,31 @@ +{ + "Title": "Possible denial of service when entering a long password", + "Timestamp": 1592308800, + "Risk": 1, + "CVSS3": { + "score": 5.3, + "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + }, + "CWE": { + "id": 307, + "name": "Brute Force" + }, + "HackerOne": 840598, + "Affected":[ + { + "Version":"1.7.0", + "CVE":"CVE-2020-8202", + "Operator":"<" + } + ], + "Description":"Improper check of inputs in Preferred providers app 1.6.0 allowed to perform a denial of service attack when using a very long password.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Abhishek Raj", + "Mail": "araj07810@gmail.com", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Preferred providers app is upgraded to 1.7.0." +} diff --git a/old/preferred_providers/nc-sa-2020-033.json b/old/preferred_providers/nc-sa-2020-033.json new file mode 100644 index 0000000..595765a --- /dev/null +++ b/old/preferred_providers/nc-sa-2020-033.json @@ -0,0 +1,31 @@ +{ + "Title": "Missing rate limit on signup page", + "Timestamp": 1596456000, + "Risk": 1, + "CVSS3": { + "score": 3.5, + "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L" + }, + "CWE": { + "id": 840, + "name": "Business Logic Errors" + }, + "HackerOne": 922470, + "Affected":[ + { + "Version":"1.8.0", + "CVE":"CVE-2020-8228", + "Operator":"<" + } + ], + "Description":"A missing rate limit in the Preferred Providers app 1.7.0 allowed an attacker to set the password an uncontrolled amount of times.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Faeeq jalali", + "Mail": "faeeqjalali24@gmail.com", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Preferred Providers app is upgraded to 1.8.0." +} diff --git a/old/server/nc-sa-2016-001.json b/old/server/nc-sa-2016-001.json new file mode 100644 index 0000000..84631e2 --- /dev/null +++ b/old/server/nc-sa-2016-001.json @@ -0,0 +1,35 @@ +{ + "Title": "Stored XSS in \"gallery\" application", + "Timestamp": 1468916769, + "Risk": 2, + "CVSS3": { + "score": 6.4, + "vector": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N" + }, + "CWE": { + "id": 79, + "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + }, + "HackerOne": 145355, + "Affected":[ + { + "Version":"9.0.52", + "CVE":"CVE-2016-7419", + "Operator":"<", + "Commits": [ + "gallery/6933d27afe518967bd1b60e6a7eacd88288929fc" + ] + } + ], + "Description":"Due to a recent migration of the Gallery app to the new sharing endpoint a parameter changed from an integer to a string value. This value wasn't sanitized before and was thus now vulnerable to a Cross-Site-Scripting attack.To exploit this vulnerability an authenticated attacker has to share a folder with someone else, get them to open the shared folder in the Gallery app and open the sharing window there. Since Nextcloud employs a strict Content-Security-Policy this vulnerability is only exploitable in browsers not supporting Content-Security-Policy. You can check at <a href=\"http://caniuse.com/#feat=contentsecuritypolicy\">caniuse.com</a> whether your browser supports CSP.", + "ActionTaken": "The user input is now properly sanitised before provided back to the user. ", + "Acknowledgment":[ + { + "Name":"Frans Rosen", + "Company":"Detectify", + "Website":"https://www.detectify.com", + "Reason":"Vulnerability discovery and disclosure." + } + ], + "Resolution":"It is recommended that all instances are upgraded to Nextcloud 9.0.52." +} diff --git a/old/server/nc-sa-2016-002.json b/old/server/nc-sa-2016-002.json new file mode 100644 index 0000000..da548a7 --- /dev/null +++ b/old/server/nc-sa-2016-002.json @@ -0,0 +1,33 @@ +{ + "Title": "Log pollution can potentially lead to local HTML injection", + "Timestamp": 1468916769, + "Risk": 1, + "CVSS3": { + "score": 4.3, + "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N" + }, + "CWE": { + "id": 209, + "name": "Cross-Site Scripting Using MIME Type Mismatch" + }, + "HackerOne": 146278, + "Affected":[ + { + "Version":"9.0.52", + "CVE":"CVE-2016-9459", + "Operator":"<", + "Commits": [ + "server/94975af6db1551c2d23136c2ea22866a5b416070" + ] + } + ], + "Description":"The \"download log\" functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the browser as HTML document. Thus any injected data in the log would be executed.While the document would only be executed locally (thus on another scope) we have decided to fix this to protect our users.", + "ActionTaken": "The file is now delivered with a content-type of \"application/octet-stream\".", + "Acknowledgment":[ + { + "Name":"Alejo Popovici", + "Reason":"Vulnerability discovery and disclosure." + } + ], + "Resolution":"It is recommended that all instances are upgraded to Nextcloud 9.0.52." +} diff --git a/old/server/nc-sa-2016-003.json b/old/server/nc-sa-2016-003.json new file mode 100644 index 0000000..d18d186 --- /dev/null +++ b/old/server/nc-sa-2016-003.json @@ -0,0 +1,36 @@ +{ + "Title": "Content-Spoofing in \"files\" app", + "Timestamp": 1468916769, + "Risk": 1, + "CVSS3": { + "score": 0, + "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N" + }, + "CWE": { + "id": 451, + "name": "User Interface (UI) Misrepresentation of Critical Information" + }, + "HackerOne": 145463, + "Affected":[ + { + "Version":"9.0.52", + "CVE":"CVE-2016-9460", + "Operator":"<", + "Commits": [ + "server/2da43e3751576bbc838f238a09955c4dcdebee8e", + "server/8aa0832bd449c44ec300da4189bd8ed4e036140c", + "server/dea8e29289a1b99d5e889627c2e377887f4f2983" + ] + } + ], + "Description":"The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.", + "ActionTaken": "The passed parameter is now verified.", + "Acknowledgment":[ + { + "Name":"Md. Ishrat Shahriyar", + "Website": "https://twitter.com/meshahriyar", + "Reason":"Vulnerability discovery and disclosure." + } + ], + "Resolution":"It is recommended that all instances are upgraded to Nextcloud 9.0.52." +} diff --git a/old/server/nc-sa-2016-004.json b/old/server/nc-sa-2016-004.json new file mode 100644 index 0000000..130f347 --- /dev/null +++ b/old/server/nc-sa-2016-004.json @@ -0,0 +1,33 @@ +{ + "Title": "Edit permission check not enforced on WebDAV COPY action", + "Timestamp": 1468916769, + "Risk": 2, + "CVSS3": { + "score": 3.1, + "vector": "AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N" + }, + "CWE": { + "id": 275, + "name": "Permission Issues" + }, + "HackerOne": 145950, + "Affected":[ + { + "Version":"9.0.52", + "CVE":"CVE-2016-9461", + "Operator":"<", + "Commits": [ + "server/3491400261c1454a9a30d3ec96969573330120cc" + ] + } + ], + "Description":"The WebDAV endpoint was not properly checking the permission on a WebDAV \"COPY\" action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files.", + "ActionTaken": "The permission check is now also performed on \"COPY\" actions,", + "Acknowledgment":[ + { + "Name":"Kumar Saurabh", + "Reason":"Vulnerability discovery and disclosure." + } + ], + "Resolution":"It is recommended that all instances are upgraded to Nextcloud 9.0.52." +} diff --git a/old/server/nc-sa-2016-005.json b/old/server/nc-sa-2016-005.json new file mode 100644 index 0000000..0856c01 --- /dev/null +++ b/old/server/nc-sa-2016-005.json @@ -0,0 +1,33 @@ +{ + "Title": "Read-only share recipient can restore old versions of file", + "Timestamp": 1468916769, + "Risk": 1, + "CVSS3": { + "score": 3.1, + "vector": "AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N" + }, + "CWE": { + "id": 275, + "name": "Permission Issues" + }, + "HackerOne": 146067, + "Affected":[ + { + "Version":"9.0.52", + "CVE":"CVE-2016-9462", + "Operator":"<", + "Commits": [ + "server/1208953ba1d4d55a18a639846bbcdd66a2d5bc5e" + ] + } + ], + "Description":"The restore capability of Nextcloud was not verifying whether an user has only read-only access to a share. Thus an user with read-only access was able to restore old versions.", + "ActionTaken": "The permission check is now also performed on restore actions.", + "Acknowledgment":[ + { + "Name":"Rudra Pratap Singh", + "Reason":"Vulnerability discovery and disclosure." + } + ], + "Resolution":"It is recommended that all instances are upgraded to Nextcloud 9.0.52." +} diff --git a/old/server/nc-sa-2016-006.json b/old/server/nc-sa-2016-006.json new file mode 100644 index 0000000..7157c07 --- /dev/null +++ b/old/server/nc-sa-2016-006.json @@ -0,0 +1,44 @@ +{ + "Title": "SMB User Authentication Bypass", + "Timestamp": 1476098466, + "Risk": 3, + "CVSS3": { + "score": 7.4, + "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" + }, + "CWE": { + "id": 303, + "name": "Incorrect Implementation of Authentication Algorithms" + }, + "HackerOne": 148151, + "Affected":[ + { + "Version":"9.0.54", + "CVE":"CVE-2016-9463", + "Operator":"<", + "Commits": [ + "apps/decb91fd31f4ffab191cbf09ce4e5c55c67a4087" + ] + }, + { + "Version":"10.0.1", + "CVE":"CVE-2016-9463", + "Operator":"<", + "Commits": [ + "apps/b85ace6840b8a6704641086bc3b8eb8e81cb2274" + ] + } + ], + "Description": "Nextcloud includes an optional and not by default enabled SMB authentication component that allows to authenticate users against an SMB server.This backend is implemented in a way that it tries to connect to a SMB server and if that succeeded consider the user logged-in.The backend did not properly take into account SMB servers that any kind of anonymous auth configured. This is the default on SMB servers nowadays and allows an unauthenticated attacker to gain access to an account without valid credentials.<strong>Note:</strong> The SMB backend is disabled by default and requires manual configuration in the Nextcloud config file. If you have not configured the SMB backend then you're not affected by this vulnerability.<em><a href=\"https://rhinosecuritylabs.com/2016/10/operation-ownedcloud-exploitation-post-exploitation-persistence/\">The reporter has published a blog post about this issue on their website as well.</a></em>", + "ActionTaken": "The SMB backend is now performing an additional authentication attempt with invalid credentials. If that succeeds as well it assumes that anonymous authentications are enabled and denies the login attempt.", + "Acknowledgment":[ + { + "Name": "Dwight Hohnstein", + "Company": "Rhino Security Labs", + "Website": "https://rhinosecuritylabs.com/", + "Email": "dwight.hohnstein@rhinosecuritylabs.com", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 9.0.54 or 10.0.1." +} diff --git a/old/server/nc-sa-2016-007.json b/old/server/nc-sa-2016-007.json new file mode 100644 index 0000000..3eff23a --- /dev/null +++ b/old/server/nc-sa-2016-007.json @@ -0,0 +1,44 @@ +{ + "Title": "Improper authorization check on removing shares", + "Timestamp": 1476098466, + "Risk": 1, + "CVSS3": { + "score": 2.6, + "vector": "AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L" + }, + "CWE": { + "id": 285, + "name": "Improper Authorization" + }, + "HackerOne": 153905, + "Affected":[ + { + "Version":"9.0.54", + "CVE":"CVE-2016-9464", + "Operator":"<", + "Commits": [ + "server/a5471b4a3e3f30e99e4de39c97c0c3b3c2f1618f", + "server/3387e5d00fcf6b2ea6b285a091e5743f545e7202" + ] + }, + { + "Version":"10.0.0", + "CVE":"CVE-2016-9464", + "Operator":"<", + "Commits": [ + "server/7289cb5ec0b812992ab0dfb889744b94bc0994f0", + "server/e2c4f4f9aa11bc92e8f2212cce73841b922187e8" + ] + } + ], + "Description": "The Sharing Backend as implemented in Nextcloud does differentiate between shares to users and groups. In case of a received group share, users should be able to unshare the file to themselves but not to the whole group. The previous API implementation did simply unshare the file to all users in the group.", + "ActionTaken": "Additional access control checks have been added to the sharing API.", + "Acknowledgment":[ + { + "Name": "Nguyen Van Thang", + "Website": "https://www.facebook.com/profile.php?id=100006312211628", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 9.0.54 or 10.0.0." +} diff --git a/old/server/nc-sa-2016-008.json b/old/server/nc-sa-2016-008.json new file mode 100644 index 0000000..525df9d --- /dev/null +++ b/old/server/nc-sa-2016-008.json @@ -0,0 +1,36 @@ +{ + "Title": "Stored XSS in CardDAV image export", + "Timestamp": 1476098466, + "Risk": 2, + "CVSS3": { + "score": 5.4, + "vector": "AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + }, + "CWE": { + "id": 79, + "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + }, + "HackerOne": 163338, + "Affected":[ + { + "Version":"10.0.1", + "CVE":"CVE-2016-9465", + "Operator":"<", + "Commits": [ + "server/68ab8325c799d20c1fb7e98d670785176590e7d0" + ] + } + ], + "Description": "The CardDAV image export functionality as implemented in Nextcloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.<strong>Note:</strong> Nextcloud employs a very strict Content Security Policy on the DAV endpoints. This is thus only exploitable on browsers that don't support Content Security Policy.", + "ActionTaken": "The mimetype of the exported image is now compared with a whitelist as well as download disposition headers have been set on the response.", + "Acknowledgment":[ + { + "Name": "Lukas Reschke", + "Website": "https://nextcloud.com", + "Company": "Nextcloud GmbH", + "Email": "lukas@nextcloud.com", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 10.0.1." +} diff --git a/old/server/nc-sa-2016-009.json b/old/server/nc-sa-2016-009.json new file mode 100644 index 0000000..8441d9c --- /dev/null +++ b/old/server/nc-sa-2016-009.json @@ -0,0 +1,33 @@ +{ + "Title": "Reflected XSS in Gallery application", + "Timestamp": 1476098466, + "Risk": 2, + "CVSS3": { + "score": 6.1, + "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + "CWE": { + "id": 79, + "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + }, + "HackerOne": 165686, + "Affected":[ + { + "Version":"10.0.1", + "CVE":"CVE-2016-9466", + "Operator":"<", + "Commits": [ + "gallery/f9ef505c1d60c9041e251682e0f6b3daad952d58" + ] + } + ], + "Description": "The gallery app was not properly sanitizing exception messages from the Nextcloud server. Due to an endpoint where an attacker could influence the error message this lead to a reflected Cross-Site-Scripting vulnerability.", + "ActionTaken": "Error messages are now properly sanitized.", + "Acknowledgment":[ + { + "Name": "Aliaksei Panamarenka", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 10.0.1." +} diff --git a/old/server/nc-sa-2016-010.json b/old/server/nc-sa-2016-010.json new file mode 100644 index 0000000..a9c73d8 --- /dev/null +++ b/old/server/nc-sa-2016-010.json @@ -0,0 +1,46 @@ +{ + "Title": "Content-Spoofing in \"files\" app", + "Timestamp": 1476098466, + "Risk": 1, + "CVSS3": { + "score": 3.1, + "vector": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" + }, + "CWE": { + "id": 451, + "name": "User Interface (UI) Misrepresentation of Critical Information" + }, + "HackerOne": 154827, + "Affected":[ + { + "Version":"10.0.1", + "CVE":"CVE-2016-9467", + "Operator":"<", + "Commits": [ + "server/ed0f0db5fa0aff04594cb0f973ae4c22b17a175a", + "server/c3ae21fef2880c9fe44e8fdbe1262ac7f9716f14", + "server/df50e967dbd27b13875625b7dd3189294619b071" + ] + }, + { + "Version":"9.0.54", + "CVE":"CVE-2016-9467", + "Operator":"<", + "Commits": [ + "server/778ae8abd54c378fc4781394bbedc7a2ee3095e1", + "server/5dd211cc8845fd4533966bf8d7a7f2a6359ea013", + "server/1352365e8bf5ea49da3dc82b1ccf7ddb659ae960" + ] + } + ], + "Description":"The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.", + "ActionTaken": "The passed parameter is now verified.", + "Acknowledgment":[ + { + "Name": "lmx", + "Website": "https://hackerone.com/lmx", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 9.0.54 or 10.0.1." +} diff --git a/old/server/nc-sa-2016-011.json b/old/server/nc-sa-2016-011.json new file mode 100644 index 0000000..57d5a39 --- /dev/null +++ b/old/server/nc-sa-2016-011.json @@ -0,0 +1,43 @@ +{ + "Title": "Content-Spoofing in \"dav\" app", + "Timestamp": 1476098466, + "Risk": 1, + "CVSS3": { + "score": 3.1, + "vector": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" + }, + "CWE": { + "id": 451, + "name": "User Interface (UI) Misrepresentation of Critical Information" + }, + "HackerOne": 149798, + "Affected":[ + { + "Version":"10.0.1", + "CVE":"CVE-2016-9468", + "Operator":"<", + "Commits": [ + "server/7350e13113c8ed484727a5c25331ec11d4d59f5f" + ] + }, + { + "Version":"9.0.54", + "CVE":"CVE-2016-9468", + "Operator":"<", + "Commits": [ + "server/a4cfb3ddc1f4cdb585e05c0e9b2f8e52a0e2ee3e" + ] + } + ], + "Description":"The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.", + "ActionTaken": "The user-controlled content has been removed from the exception message.", + "Acknowledgment":[ + { + "Name": "YoKo Kho", + "Company": "MII CAS", + "Website": "https://twitter.com/YoKoAcc", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 9.0.54 or 10.0.1." +} diff --git a/old/server/nc-sa-2017-001.json b/old/server/nc-sa-2017-001.json new file mode 100644 index 0000000..c9fdfef --- /dev/null +++ b/old/server/nc-sa-2017-001.json @@ -0,0 +1,37 @@ +{ + "Title": "Permission increase on re-sharing via OCS API", + "Timestamp": 1486290968, + "Risk": 2, + "CVSS3": { + "score": 5.4, + "vector": "AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + }, + "CWE": { + "id": 275, + "name": "Permission Issues" + }, + "HackerOne": 169680, + "Affected":[ + { + "Version":"10.0.2", + "CVE":"CVE-2017-0883", + "Operator":"<" + }, + { + "Version":"9.0.55", + "CVE":"CVE-2017-0883", + "Operator":"<" + } + ], + "Description":"A permission related issue within the OCS sharing API allowed an authenticated adversary to reshare shared files with an increasing permission set. This may allow an attacker to edit files in a share despite having only a 'read' permission set.Note that this only affects folders and files that the adversary has at least read-only permissions for.", + "ActionTaken": "The permissions are now properly checked on the OCS endpoint.", + "Acknowledgment":[ + { + "Name": "secator", + "Email": "info@secator.com", + "Website": "https://secator.com/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 9.0.55 or 10.0.2." +} diff --git a/old/server/nc-sa-2017-002.json b/old/server/nc-sa-2017-002.json new file mode 100644 index 0000000..4aa9efb --- /dev/null +++ b/old/server/nc-sa-2017-002.json @@ -0,0 +1,37 @@ +{ + "Title": "Creation of folders in read-only folders despite lacking permissions", + "Timestamp": 1486290968, + "Risk": 1, + "CVSS3": { + "score": 4.1, + "vector": "AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N" + }, + "CWE": { + "id": 275, + "name": "Permission Issues" + }, + "HackerOne": 169680, + "Affected":[ + { + "Version":"10.0.2", + "CVE":"CVE-2017-0884", + "Operator":"<" + }, + { + "Version":"9.0.55", + "CVE":"CVE-2017-0884", + "Operator":"<" + } + ], + "Description":"Due to a logical error in the file caching layer an authenticated adversary is able to create empty folders inside a shared folder.Note that this only affects folders and files that the adversary has at least read-only permissions for.", + "ActionTaken": "The file cache operation is now only performed if the file system operation succeeded.", + "Acknowledgment":[ + { + "Name": "secator", + "Email": "info@secator.com", + "Website": "https://secator.com/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 9.0.55 or 10.0.2." +} diff --git a/old/server/nc-sa-2017-003.json b/old/server/nc-sa-2017-003.json new file mode 100644 index 0000000..dc88f8a --- /dev/null +++ b/old/server/nc-sa-2017-003.json @@ -0,0 +1,37 @@ +{ + "Title": "Error message discloses existence of file in write-only share", + "Timestamp": 1486290968, + "Risk": 1, + "CVSS3": { + "score": 3.7, + "vector": "AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L" + }, + "CWE": { + "id": 209, + "name": "Information Exposure Through an Error Message" + }, + "HackerOne": 174524, + "Affected":[ + { + "Version":"10.0.2", + "CVE":"CVE-2017-0885", + "Operator":"<" + }, + { + "Version":"9.0.55", + "CVE":"CVE-2017-0885", + "Operator":"<" + } + ], + "Description":"Due to an error in the application logic an adversary with access to a write-only share may enumerate the names of existing files and subfolders by comparing the exception messages.", + "ActionTaken": "The error in the application logic has been addressed.", + "Acknowledgment":[ + { + "Name": "secator", + "Email": "info@secator.com", + "Website": "https://secator.com/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 9.0.55 or 10.0.2." +} diff --git a/old/server/nc-sa-2017-004.json b/old/server/nc-sa-2017-004.json new file mode 100644 index 0000000..55dc095 --- /dev/null +++ b/old/server/nc-sa-2017-004.json @@ -0,0 +1,37 @@ +{ + "Title": "Denial of Service attack", + "Timestamp": 1486290968, + "Risk": 1, + "CVSS3": { + "score": 5.0, + "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L" + }, + "CWE": { + "id": 674, + "name": "Uncontrolled Recursion" + }, + "HackerOne": 174524, + "Affected":[ + { + "Version":"10.0.2", + "CVE":"CVE-2017-0886", + "Operator":"<" + }, + { + "Version":"9.0.55", + "CVE":"CVE-2017-0886", + "Operator":"<" + } + ], + "Description":"Due to an error in the application logic an authenticated adversary may trigger an endless recursion in the application leading to a potential Denial of Service.", + "ActionTaken": "The code path leading to the endless recursion is now properly handled.", + "Acknowledgment":[ + { + "Name": "secator", + "Email": "info@secator.com", + "Website": "https://secator.com/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 9.0.55 or 10.0.2." +} diff --git a/old/server/nc-sa-2017-005.json b/old/server/nc-sa-2017-005.json new file mode 100644 index 0000000..b6d9b9e --- /dev/null +++ b/old/server/nc-sa-2017-005.json @@ -0,0 +1,35 @@ +{ + "Title": "Bypassing quota limitation", + "Timestamp": 1486290968, + "Risk": 1, + "CVSS3": { + "score": 0.0, + "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:N" + }, + "CWE": { + "id": 807, + "name": "Reliance on Untrusted Inputs in a Security Decision" + }, + "HackerOne": 173622, + "Affected":[ + { + "Version":"10.0.2", + "CVE":"CVE-2017-0887", + "Operator":"<" + }, + { + "Version":"9.0.55", + "CVE":"CVE-2017-0887", + "Operator":"<" + } + ], + "Description":"Due to not properly sanitzing values provided by the `OC-Total-Length` HTTP header an authenticated adversary may be able to exceed their configured user quota. Thus using more space than allowed by the administrator.", + "ActionTaken": "The `OC-Total-Length` HTTP header is now properly sanitized.", + "Acknowledgment":[ + { + "Name": "Nordin", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 9.0.55 or 10.0.2." +} diff --git a/old/server/nc-sa-2017-006.json b/old/server/nc-sa-2017-006.json new file mode 100644 index 0000000..9f6670b --- /dev/null +++ b/old/server/nc-sa-2017-006.json @@ -0,0 +1,37 @@ +{ + "Title": "Content-Spoofing in \"files\" app", + "Timestamp": 1486290968, + "Risk": 1, + "CVSS3": { + "score": 3.1, + "vector": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" + }, + "CWE": { + "id": 451, + "name": "User Interface (UI) Misrepresentation of Critical Information" + }, + "HackerOne": 179073, + "Affected":[ + { + "Version":"10.0.2", + "CVE":"CVE-2017-0888", + "Operator":"<" + }, + { + "Version":"9.0.55", + "CVE":"CVE-2017-0888", + "Operator":"<" + } + ], + "Description":"The top navigation bar displayed in the files list contained partially user-controllable input leading to a potential misrepresentation of information.", + "ActionTaken": "The user-controlled content is now not trusted anymore unless the folder structure exists on the file system.", + "Acknowledgment":[ + { + "Name": "Ahsan Tahir", + "Email": "mrahsan1337@gmail.com", + "Website": "https://twitter.com/AhsanTahirAT", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 9.0.55 or 10.0.2." +} diff --git a/old/server/nc-sa-2017-007.json b/old/server/nc-sa-2017-007.json new file mode 100644 index 0000000..b1fa819 --- /dev/null +++ b/old/server/nc-sa-2017-007.json @@ -0,0 +1,30 @@ +{ + "Title": "DOM XSS vulnerability in search dialogue", + "Timestamp": 1494244800, + "Risk": 1, + "CVSS3": { + "score": 2.6, + "vector": "AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N" + }, + "CWE": { + "id": 79, + "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + }, + "HackerOne": 213227, + "Affected":[ + { + "Version":"11.0.3", + "CVE":"CVE-2017-0890", + "Operator":"<" + } + ], + "Description":"Inadequate escaping lead to XSS vulnerability in the search module. To be exploitable an user has to write or paste malicious content into the search dialogue.", + "ActionTaken": "The content is now properly escaped, furthermore for Nextcloud 12 we have <a href=\"https://statuscode.ch/2017/03/CSP-unsafe-eval-and-jquery/\">hardened jQuery</a> to prevent such CSP bypasses.", + "Acknowledgment":[ + { + "Name": "Ahsan Khan", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 11.0.3." +} diff --git a/old/server/nc-sa-2017-008.json b/old/server/nc-sa-2017-008.json new file mode 100644 index 0000000..38e3b74 --- /dev/null +++ b/old/server/nc-sa-2017-008.json @@ -0,0 +1,41 @@ +{ + "Title": "Reflected XSS in error pages", + "Timestamp": 1494244800, + "Risk": 1, + "CVSS3": { + "score": 3.5, + "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N" + }, + "CWE": { + "id": 79, + "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + }, + "HackerOne": 216812, + "Affected":[ + { + "Version":"11.0.3", + "CVE":"CVE-2017-0891", + "Operator":"<" + }, + { + "Version":"10.0.5", + "CVE":"CVE-2017-0891", + "Operator":"<" + }, + { + "Version":"9.0.58", + "CVE":"CVE-2017-0891", + "Operator":"<" + } + ], + "Description":"Inadequate escaping of error messages leads to XSS vulnerabilities in multiple components.Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers.", + "ActionTaken": "Error messages are now properly escaped.", + "Acknowledgment":[ + { + "Name": "Manuel Mancera", + "Website": "https://twitter.com/sinkmanu", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 9.0.58, 10.0.5 or 11.0.3." +} diff --git a/old/server/nc-sa-2017-009.json b/old/server/nc-sa-2017-009.json new file mode 100644 index 0000000..43f7d53 --- /dev/null +++ b/old/server/nc-sa-2017-009.json @@ -0,0 +1,30 @@ +{ + "Title": "Limitation of app specific password scope can be bypassed", + "Timestamp": 1494244800, + "Risk": 1, + "CVSS3": { + "score": 3.0, + "vector": "AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N" + }, + "CWE": { + "id": 285, + "name": "Improper Authorization" + }, + "HackerOne": 191979, + "Affected":[ + { + "Version":"11.0.3", + "CVE":"CVE-2017-0892", + "Operator":"<" + } + ], + "Description":"Improper session handling allowed an application specific password without permission to the files access to the users file.", + "ActionTaken": "The permission check has been corrected and reviewed.", + "Acknowledgment":[ + { + "Name": "Mmakosdel", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 11.0.3." +} diff --git a/old/server/nc-sa-2017-010.json b/old/server/nc-sa-2017-010.json new file mode 100644 index 0000000..b77c4cd --- /dev/null +++ b/old/server/nc-sa-2017-010.json @@ -0,0 +1,42 @@ +{ + "Title": "Stored XSS in Gallery application", + "Timestamp": 1494244800, + "Risk": 1, + "CVSS3": { + "score": 3.0, + "vector": "AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N" + }, + "CWE": { + "id": 79, + "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + }, + "HackerOne": 222838, + "Affected":[ + { + "Version":"11.0.3", + "CVE":"CVE-2017-0893", + "Operator":"<" + }, + { + "Version":"10.0.5", + "CVE":"CVE-2017-0893", + "Operator":"<" + }, + { + "Version":"9.0.58", + "CVE":"CVE-2017-0893", + "Operator":"<" + } + ], + "Description":"A JavaScript library used by Nextcloud for sanitizing untrusted user-input suffered from a XSS vulnerability caused by a behaviour change in Safari 10.1 and 10.2.Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers.", + "ActionTaken": "The vulnerable library has been updated.", + "Acknowledgment":[ + { + "Name": "Lukas Reschke", + "Mail": "lukas@nextcloud.com", + "Company": "Nextcloud GmbH", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 9.0.58, 10.0.5 or 11.0.3." +} diff --git a/old/server/nc-sa-2017-011.json b/old/server/nc-sa-2017-011.json new file mode 100644 index 0000000..25575d8 --- /dev/null +++ b/old/server/nc-sa-2017-011.json @@ -0,0 +1,32 @@ +{ + "Title": "Share tokens for public calendars disclosed", + "Timestamp": 1494244800, + "Risk": 2, + "CVSS3": { + "score": 4.3, + "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N" + }, + "CWE": { + "id": 548, + "name": "Information Exposure Through Directory Listing" + }, + "HackerOne": 218876, + "Affected":[ + { + "Version":"11.0.3", + "CVE":"CVE-2017-0894", + "Operator":"<" + } + ], + "Description":"A logical error caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token.", + "ActionTaken": "The error has been fixed and regression tests been added.", + "Acknowledgment":[ + { + "Name": "Lukas Reschke", + "Mail": "lukas@nextcloud.com", + "Company": "Nextcloud GmbH", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 11.0.3." +} diff --git a/old/server/nc-sa-2017-012.json b/old/server/nc-sa-2017-012.json new file mode 100644 index 0000000..4f8808b --- /dev/null +++ b/old/server/nc-sa-2017-012.json @@ -0,0 +1,36 @@ +{ + "Title": "Calendar and addressbook names disclosed", + "Timestamp": 1494244800, + "Risk": 1, + "CVSS3": { + "score": 3.5, + "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N" + }, + "CWE": { + "id": 548, + "name": "Information Exposure Through Directory Listing" + }, + "HackerOne": 203594, + "Affected":[ + { + "Version":"11.0.2", + "CVE":"CVE-2017-0895", + "Operator":"<" + }, + { + "Version":"10.0.4", + "CVE":"CVE-2017-0895", + "Operator":"<" + } + ], + "Description":"A logical error caused disclosure of calendar and addressbook names to other logged-in users. Note that no actual content of the calendar and adressbook has been disclosed.", + "ActionTaken": "The error has been fixed and regression tests been added.", + "Acknowledgment":[ + { + "Name": "Julius Härtl", + "Website": "https://juliushaertl.de", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 11.0.3." +} diff --git a/old/server/nc-sa-2018-001.json b/old/server/nc-sa-2018-001.json new file mode 100644 index 0000000..9c4f3f1 --- /dev/null +++ b/old/server/nc-sa-2018-001.json @@ -0,0 +1,36 @@ +{ + "Title": "App password scope can be changed for other users", + "Timestamp": 1517961600, + "Risk": 1, + "CVSS3": { + "score": 3.5, + "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L" + }, + "CWE": { + "id": 639, + "name": "Authorization Bypass Through User-Controlled Key" + }, + "HackerOne": 297751, + "Affected":[ + { + "Version":"12.0.5", + "CVE":"CVE-2017-0936", + "Operator":"<" + }, + { + "Version":"11.0.7", + "CVE":"CVE-2017-0936", + "Operator":"<" + } + ], + "Description":"A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user.", + "ActionTaken": "The error has been fixed and regression tests been added.", + "Acknowledgment":[ + { + "Name": "Carl Pearson", + "Website": "https://cp270.wordpress.com/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 12.0.5." +} diff --git a/old/server/nc-sa-2018-002.json b/old/server/nc-sa-2018-002.json new file mode 100644 index 0000000..038d5da --- /dev/null +++ b/old/server/nc-sa-2018-002.json @@ -0,0 +1,36 @@ +{ + "Title": "File access control rules not applied to image previews", + "Timestamp": 1529582400, + "Risk": 1, + "CVSS3": { + "score": 3.5, + "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N" + }, + "CWE": { + "id": 273, + "name": "Improper Check for Dropped Privileges" + }, + "HackerOne": 358339, + "Affected":[ + { + "Version":"13.0.3", + "CVE":"CVE-2018-3762", + "Operator":"<" + }, + { + "Version":"12.0.8", + "CVE":"CVE-2018-3762", + "Operator":"<" + } + ], + "Description":"A missing check for read permissions allowed users that received an incomming share containing files tagged so they should be denied access to still request a preview for those files.", + "ActionTaken": "The error has been fixed and regression tests been added.", + "Acknowledgment":[ + { + "Name": "Reinis Martinsons", + "Mail": "reinis.martinsons@gmail.com", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 13.0.3." +} diff --git a/old/server/nc-sa-2018-003.json b/old/server/nc-sa-2018-003.json new file mode 100644 index 0000000..40cfe1c --- /dev/null +++ b/old/server/nc-sa-2018-003.json @@ -0,0 +1,35 @@ +{ + "Title": "Improper validation on OAuth2 token endpoint", + "Timestamp": 1529582400, + "Risk": 2, + "CVSS3": { + "score": 6.4, + "vector": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N" + }, + "CWE": { + "id": 20, + "name": "Improper Input Validation" + }, + "HackerOne": 343111, + "Affected":[ + { + "Version":"13.0.3", + "CVE":"CVE-2018-3761", + "Operator":"<" + }, + { + "Version":"12.0.8", + "CVE":"CVE-2018-3761", + "Operator":"<" + } + ], + "Description":"Improper validation of input allowed an attacker with access to the OAuth2 refresh token to obtain new tokens.", + "ActionTaken": "The error has been fixed according to RFC6749.", + "Acknowledgment":[ + { + "Name": "Mikael Karlsson", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 13.0.3." +} diff --git a/old/server/nc-sa-2018-006.json b/old/server/nc-sa-2018-006.json new file mode 100644 index 0000000..f4b7d5d --- /dev/null +++ b/old/server/nc-sa-2018-006.json @@ -0,0 +1,36 @@ +{ + "Title": "Improper validation of data passed to JSON encoder", + "Timestamp": 1533297600, + "Risk": 2, + "CVSS3": { + "score": 5.3, + "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + }, + "CWE": { + "id": 20, + "name": "Improper Input Validation" + }, + "HackerOne": 232347, + "Affected":[ + { + "Version":"12.0.3", + "CVE":"2018-3776", + "Operator":"<" + }, + { + "Version":"11.0.5", + "CVE":"2018-3776", + "Operator":"<" + } + ], + "Description":"Improper validation of input allowed an attacker to not have their actions logged to the audit log.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Zhouyuan Yang", + "Company": "Fortinet's FortiGuard Labs", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to at least Nextcloud 12.0.3." +} diff --git a/old/server/nc-sa-2018-007.json b/old/server/nc-sa-2018-007.json new file mode 100644 index 0000000..b8d793f --- /dev/null +++ b/old/server/nc-sa-2018-007.json @@ -0,0 +1,30 @@ +{ + "Title": "Bypass of 2 Factor Authentication", + "Timestamp": 1533297600, + "Risk": 3, + "CVSS3": { + "score": 8.1, + "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" + }, + "CWE": { + "id": 287, + "name": "Improper Authentication - Generic" + }, + "HackerOne": 248656, + "Affected":[ + { + "Version":"12.0.3", + "CVE":"2018-3775", + "Operator":"<" + } + ], + "Description":"Improper authentication of the second factor challenge would allow an attacker that had access to user credentials to bypass the second factor validation completely.", + "ActionTaken": "The error has been fixed and regression tests are in place.", + "Acknowledgment":[ + { + "Name": "kaysbugs", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded at least to Nextcloud 12.0.3." +} diff --git a/old/server/nc-sa-2018-008.json b/old/server/nc-sa-2018-008.json new file mode 100644 index 0000000..da818cb --- /dev/null +++ b/old/server/nc-sa-2018-008.json @@ -0,0 +1,31 @@ +{ + "Title": "Stored XSS in autocomplete suggestions for file comments", + "Timestamp": 1533902400, + "Risk": 1, + "CVSS3": { + "score": 0.0, + "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:N" + }, + "CWE": { + "id": 79, + "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + }, + "Affected":[ + { + "Version":"13.0.5", + "CVE":"CVE-2018-3780", + "Operator":"<" + } + ], + "Description":"A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Joas Schilling", + "Mail": "coding@schilljs.com", + "Company": "Nextcloud GmbH", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 13.0.5." +} diff --git a/old/server/nc-sa-2018-010.json b/old/server/nc-sa-2018-010.json new file mode 100644 index 0000000..6414601 --- /dev/null +++ b/old/server/nc-sa-2018-010.json @@ -0,0 +1,40 @@ +{ + "Title": "Improper validation of permissions", + "Timestamp": 1540468800, + "Risk": 1, + "CVSS3": { + "score": 6.4, + "vector": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N" + }, + "CWE": { + "id": 284, + "name": "Improper Access Control - Generic" + }, + "HackerOne": 388515, + "Affected":[ + { + "Version":"14.0.0", + "CVE":"CVE-2018-16466", + "Operator":"<" + }, + { + "Version":"13.0.6", + "CVE":"CVE-2018-16466", + "Operator":"<" + }, + { + "Version":"12.0.11", + "CVE":"CVE-2018-16466", + "Operator":"<" + } + ], + "Description":"Improper revalidation of permissions lead to not accepting access restrictions by acess tokens.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Mohd Haji", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 14.0.0, Nextcloud 13.0.6 or Nextcloud 12.0.11." +} diff --git a/old/server/nc-sa-2018-011.json b/old/server/nc-sa-2018-011.json new file mode 100644 index 0000000..c3d8301 --- /dev/null +++ b/old/server/nc-sa-2018-011.json @@ -0,0 +1,33 @@ +{ + "Title": "Second factor authentication bypassed if provider fails to load", + "Timestamp": 1540468800, + "Risk": 1, + "CVSS3": { + "score": 5.7, + "vector": "AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" + }, + "CWE": { + "id": 287, + "name": "Improper Authentication - Generic" + }, + "HackerOne": 317711, + "Affected":[ + { + "Version":"14.0.0", + "CVE":"CVE-2018-16465", + "Operator":"<" + } + ], + "Description":"Missing state would not enforce the use of a second factor at login if the the provider of the second factor failed to load.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Aleksa Sarai", + "Mail": "cyphar@cyphar.com", + "Company": "SUSE Linux GmbH", + "Website": "https://www.cyphar.com/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 14.0.0." +} diff --git a/old/server/nc-sa-2018-012.json b/old/server/nc-sa-2018-012.json new file mode 100644 index 0000000..62a5ec1 --- /dev/null +++ b/old/server/nc-sa-2018-012.json @@ -0,0 +1,29 @@ +{ + "Title": "Improper authentication on public shares", + "Timestamp": 1540468800, + "Risk": 1, + "CVSS3": { + "score": 3.7, + "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" + }, + "CWE": { + "id": 287, + "name": "Improper Authentication - Generic" + }, + "Affected":[ + { + "Version":"14.0.0", + "CVE":"CVE-2018-16464", + "Operator":"<" + } + ], + "Description":"A missing access check could lead to continued access to password protected link shares when the owner had changed the password.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Rudra Pratap Singh", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 14.0.0." +} diff --git a/old/server/nc-sa-2018-013.json b/old/server/nc-sa-2018-013.json new file mode 100644 index 0000000..6513c56 --- /dev/null +++ b/old/server/nc-sa-2018-013.json @@ -0,0 +1,40 @@ +{ + "Title": "Session fixation on public share page", + "Timestamp": 1540468800, + "Risk": 1, + "CVSS3": { + "score": 3.1, + "vector": "AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N" + }, + "CWE": { + "id": 384, + "name": "Session Fixation" + }, + "HackerOne": 237184, + "Affected":[ + { + "Version":"14.0.0", + "CVE":"CVE-2018-16463", + "Operator":"<" + }, + { + "Version":"13.0.3", + "CVE":"CVE-2018-16463", + "Operator":"<" + }, + { + "Version":"12.0.8", + "CVE":"CVE-2018-16463", + "Operator":"<" + } + ], + "Description":"A bug causing session fixation could potentially allow an attacker to obtain access to password protected shares.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Anonymous hacker", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to at least Nextcloud 14.0.0, Nextcloud 13.0.3 or Nextcloud 12.0.8." +} diff --git a/old/server/nc-sa-2018-014.json b/old/server/nc-sa-2018-014.json new file mode 100644 index 0000000..ea43043 --- /dev/null +++ b/old/server/nc-sa-2018-014.json @@ -0,0 +1,31 @@ +{ + "Title": "Improper access control checks for single share previews", + "Timestamp": 1540468800, + "Risk": 1, + "CVSS3": { + "score": 4.8, + "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" + }, + "CWE": { + "id": 287, + "name": "Improper Authentication" + }, + "HackerOne": 231917, + "Affected":[ + { + "Version":"14.0.0", + "CVE":"CVE-2018-16467", + "Operator":"<" + } + ], + "Description":"A missing check could give unauthorized access to the previews of single file password protected shares.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Carl Pearson", + "Website": "https://cp270.wordpress.com", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 14.0.0." +} diff --git a/old/server/nc-sa-2019-001.json b/old/server/nc-sa-2019-001.json new file mode 100644 index 0000000..6978e9b --- /dev/null +++ b/old/server/nc-sa-2019-001.json @@ -0,0 +1,41 @@ +{ + "Title": "Classification of calendar events is ignored by the activity stream", + "Timestamp": 1555070400, + "Risk": 1, + "CVSS3": { + "score": 2.4, + "vector": "AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N" + }, + "CWE": { + "id": 287, + "name": "Improper Authentication" + }, + "HackerOne": 476615, + "Affected":[ + { + "Version":"15.0.1", + "CVE":"CVE-2019-5449", + "Operator":"<" + }, + { + "Version":"14.0.5", + "CVE":"CVE-2019-5449", + "Operator":"<" + }, + { + "Version":"13.0.9", + "CVE":"CVE-2019-5449", + "Operator":"<" + } + ], + "Description":"A missing check revealed the name of confidential events and private events to all users of a shared calendar.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Fabian Dellwing", + "Mail": "f.dellwing@netfutura.de", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 15.0.1, 14.0.5 or 13.0.9." +} diff --git a/old/server/nc-sa-2019-002.json b/old/server/nc-sa-2019-002.json new file mode 100644 index 0000000..03ed929 --- /dev/null +++ b/old/server/nc-sa-2019-002.json @@ -0,0 +1,46 @@ +{ + "Title": "Improper access control checks for share expiration date", + "Timestamp": 1555070400, + "Risk": 1, + "CVSS3": { + "score": 4.8, + "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + }, + "CWE": { + "id": 284, + "name": "Improper Access Control - Generic" + }, + "HackerOne": 447494, + "Affected":[ + { + "Version":"15.0.0", + "CVE":"CVE-2020-8122", + "Operator":"<" + }, + { + "Version":"14.0.4", + "CVE":"CVE-2020-8122", + "Operator":"<" + }, + { + "Version":"13.0.8", + "CVE":"CVE-2020-8122", + "Operator":"<" + }, + { + "Version":"12.0.13", + "CVE":"CVE-2020-8122", + "Operator":"<" + } + ], + "Description":"A missing check could give recipient the possibility to extend the expiration date of a share they received.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Carl Pearson", + "Website": "https://cp270.wordpress.com", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 15.0.0, Nextcloud 14.0.4, Nextcloud 13.0.8 or 12.0.13." +} diff --git a/old/server/nc-sa-2019-003.json b/old/server/nc-sa-2019-003.json new file mode 100644 index 0000000..b52a3fd --- /dev/null +++ b/old/server/nc-sa-2019-003.json @@ -0,0 +1,41 @@ +{ + "Title": "Improper share updates could result in extended data access", + "Timestamp": 1555070400, + "Risk": 1, + "CVSS3": { + "score": 9.6, + "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" + }, + "CWE": { + "id": 284, + "name": "Improper Access Control - Generic" + }, + "HackerOne": 452854, + "Affected":[ + { + "Version":"15.0.0", + "CVE":"CVE-2020-8121", + "Operator":"<" + }, + { + "Version":"14.0.5", + "CVE":"CVE-2020-8121", + "Operator":"<" + }, + { + "Version":"13.0.9", + "CVE":"CVE-2020-8121", + "Operator":"<" + } + ], + "Description":"A bug could expose more data in reshared link shares than intended by the sharer.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Fabian Riechsteiner", + "Company": "recretix systems AG", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 15.0.0, 14.0.5 or 13.0.9." +} diff --git a/old/server/nc-sa-2019-012.json b/old/server/nc-sa-2019-012.json new file mode 100644 index 0000000..36b7d98 --- /dev/null +++ b/old/server/nc-sa-2019-012.json @@ -0,0 +1,40 @@ +{ + "Title": "File-drop content is visible through the gallery app", + "Timestamp": 1571745600, + "Risk": 1, + "CVSS3": { + "score": 5.0, + "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" + }, + "CWE": { + "id": 285, + "name": "Improper Authorization" + }, + "HackerOne": 719426, + "Affected":[ + { + "Version":"17.0.1", + "CVE":"CVE-2020-8119", + "Operator":"<" + }, + { + "Version":"16.0.6", + "CVE":"CVE-2020-8119", + "Operator":"<" + }, + { + "Version":"15.0.13", + "CVE":"CVE-2020-8119", + "Operator":"<" + } + ], + "Description":"Improper authorization in Nextcloud server 17.0.0 causes leaking of previews and files when a file-drop share link is opened via the gallery app.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Olav Seyfarth (nursoda)", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud server is upgraded to 17.0.1." +} diff --git a/old/server/nc-sa-2019-014.json b/old/server/nc-sa-2019-014.json new file mode 100644 index 0000000..cb908e1 --- /dev/null +++ b/old/server/nc-sa-2019-014.json @@ -0,0 +1,36 @@ +{ + "Title": "Server-Side request forgery in New-Subscription feature of the calendar app", + "Timestamp": 1562241600, + "Risk": 1, + "CVSS3": { + "score": 5.0, + "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" + }, + "CWE": { + "id": 918, + "name": "Server-Side Request Forgery" + }, + "HackerOne": 427835, + "Affected":[ + { + "Version":"16.0.2", + "CVE":"CVE-2020-8118", + "Operator":"<" + }, + { + "Version":"15.0.9", + "CVE":"CVE-2020-8118", + "Operator":"<" + } + ], + "Description":"An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and remote services when adding a new subscription in the calendar application.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Tim Coen", + "Website": "https://security-consulting.icu/blog/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud server is upgraded to 16.0.2." +} diff --git a/old/server/nc-sa-2019-015.json b/old/server/nc-sa-2019-015.json new file mode 100644 index 0000000..640b5f5 --- /dev/null +++ b/old/server/nc-sa-2019-015.json @@ -0,0 +1,35 @@ +{ + "Title": "Group admins can create users with IDs of system folders", + "Timestamp": 1565611200, + "Risk": 1, + "CVSS3": { + "score": 8.4, + "vector": "AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" + }, + "CWE": { + "id": 20, + "name": "Improper Input Validation" + }, + "HackerOne": 508493, + "Affected":[ + { + "Version":"15.0.8", + "CVE":"CVE-2019-15624", + "Operator":"<" + }, + { + "Version":"14.0.11", + "CVE":"CVE-2019-15624", + "Operator":"<" + } + ], + "Description":"Improper Input Validation in Nextcloud Server 15.0.7 allows group admins to create users with IDs of system folders.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Leon Klingele", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 15.0.8." +} diff --git a/old/server/nc-sa-2019-016.json b/old/server/nc-sa-2019-016.json new file mode 100644 index 0000000..b391679 --- /dev/null +++ b/old/server/nc-sa-2019-016.json @@ -0,0 +1,40 @@ +{ + "Title": "User IDs and Nextcloud server leaked to Nextcloud Lookup server with disabled settings", + "Timestamp": 1561550400, + "Risk": 1, + "CVSS3": { + "score": 5.3, + "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + }, + "CWE": { + "id": 359, + "name": "Exposure of Private Information" + }, + "HackerOne": 508490, + "Affected":[ + { + "Version":"16.0.2", + "CVE":"CVE-2019-15623", + "Operator":"<" + }, + { + "Version":"15.0.9", + "CVE":"CVE-2019-15623", + "Operator":"<" + }, + { + "Version":"14.0.13", + "CVE":"CVE-2019-15623", + "Operator":"<" + } + ], + "Description":"Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Leon Klingele", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 16.0.2." +} diff --git a/old/server/nc-sa-2019-018.json b/old/server/nc-sa-2019-018.json new file mode 100644 index 0000000..bf3344d --- /dev/null +++ b/old/server/nc-sa-2019-018.json @@ -0,0 +1,41 @@ +{ + "Title": "Reflected XSS in svg logo generation", + "Timestamp": 1564747200, + "Risk": 1, + "CVSS3": { + "score": 6.5, + "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" + }, + "CWE": { + "id": 79, + "name": "Cross-site Scripting (XSS) - Reflected" + }, + "HackerOne": 605915, + "Affected":[ + { + "Version":"16.0.2", + "CVE":"CVE-2020-8120", + "Operator":"<" + }, + { + "Version":"15.0.9", + "CVE":"CVE-2020-8120", + "Operator":"<" + }, + { + "Version":"14.0.13", + "CVE":"CVE-2020-8120", + "Operator":"<" + } + ], + "Description":"A reflected Cross-Site Scripting vunerability was discovered in the svg generation.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Frederik Braun", + "Website": "https://frederik-braun.com", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that all instances are upgraded to Nextcloud 16.0.2, 15.0.9 or 14.0.13." +} diff --git a/old/server/nc-sa-2020-001.json b/old/server/nc-sa-2020-001.json new file mode 100644 index 0000000..3f98092 --- /dev/null +++ b/old/server/nc-sa-2020-001.json @@ -0,0 +1,41 @@ +{ + "Title": "2FA sessions not properly expired on password change", + "Timestamp": 1554076800, + "Risk": 1, + "CVSS3": { + "score": 5.6, + "vector": "AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" + }, + "CWE": { + "id": 384, + "name": "Session Fixation" + }, + "HackerOne": 486693, + "Affected":[ + { + "Version":"15.0.3", + "CVE":"CVE-2019-15612", + "Operator":"<" + }, + { + "Version":"14.0.7", + "CVE":"CVE-2019-15612", + "Operator":"<" + }, + { + "Version":"13.0.11", + "CVE":"CVE-2019-15612", + "Operator":"<" + } + ], + "Description":"A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Jackson K V", + "Mail": "jacksonkv67@gmail.com", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 15.0.3." +} diff --git a/old/server/nc-sa-2020-002.json b/old/server/nc-sa-2020-002.json new file mode 100644 index 0000000..354d890 --- /dev/null +++ b/old/server/nc-sa-2020-002.json @@ -0,0 +1,40 @@ +{ + "Title": "Workflow rules only check the file extension for the mimetype instead of the content", + "Timestamp": 1575417600, + "Risk": 1, + "CVSS3": { + "score": 5.5, + "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L" + }, + "CWE": { + "id": 646, + "name": "Reliance on File Name or Extension of Externally-Supplied File" + }, + "HackerOne": 697959, + "Affected":[ + { + "Version":"17.0.2", + "CVE":"CVE-2019-15613", + "Operator":"<" + }, + { + "Version":"16.0.7", + "CVE":"CVE-2019-15613", + "Operator":"<" + }, + { + "Version":"15.0.14", + "CVE":"CVE-2019-15613", + "Operator":"<" + } + ], + "Description":"A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend their behaviour on the file extension when checking file mimetypes.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Ralf Thesing", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 17.0.2." +} diff --git a/old/server/nc-sa-2020-005.json b/old/server/nc-sa-2020-005.json new file mode 100644 index 0000000..8061b2a --- /dev/null +++ b/old/server/nc-sa-2020-005.json @@ -0,0 +1,32 @@ +{ + "Title": "Missing default timeout on HTTP requests", + "Timestamp": 1567555200, + "Risk": 1, + "CVSS3": { + "score": 4.3, + "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" + }, + "CWE": { + "id": 1088, + "name": "Synchronous Access of Remote Resource without Timeout" + }, + "HackerOne": 592864, + "Affected":[ + { + "Version":"17.0.0", + "CVE":"CVE-2019-15616", + "Operator":"<" + } + ], + "Description":"Dangling remote share attempts in Nextcloud 16 allow a DNS pollution when running long.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Joshua Maddux", + "Mail": "jdmaddux@gmail.com", + "Website": "https://twitter.com/joshmdx", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 17.0.0." +} diff --git a/old/server/nc-sa-2020-006.json b/old/server/nc-sa-2020-006.json new file mode 100644 index 0000000..6c5569d --- /dev/null +++ b/old/server/nc-sa-2020-006.json @@ -0,0 +1,32 @@ +{ + "Title": "Duplicate setup of second factor allowed", + "Timestamp": 1571961600, + "Risk": 1, + "CVSS3": { + "score": 4.6, + "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" + }, + "CWE": { + "id": 287, + "name": "Improper Authentication" + }, + "HackerOne": 722748, + "Affected":[ + { + "Version":"17.0.1", + "CVE":"CVE-2019-15617", + "Operator":"<" + } + ], + "Description":"A missing check in Nextcloud Server 17.0.0 allowed an attacker to set up a new second factor when trying to login.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Christoph Wurst", + "Company": "Nextcloud GmbH", + "Website": "https://nextcloud.com", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 17.0.1." +} diff --git a/old/server/nc-sa-2020-007.json b/old/server/nc-sa-2020-007.json new file mode 100644 index 0000000..99dfd8a --- /dev/null +++ b/old/server/nc-sa-2020-007.json @@ -0,0 +1,38 @@ +{ + "Title": "Reflected XSS in redirect of the Updater", + "Timestamp": 1553558400, + "Risk": 1, + "CVSS3": { + "score": 2.0, + "vector": "AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N" + }, + "CWE": { + "id": 79, + "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + }, + "HackerOne": 515484, + "Affected":[ + { + "Version":"15.0.6", + "CVE":"CVE-2019-15618", + "Operator":"<" + }, + { + "Version":"14.0.9", + "CVE":"CVE-2019-15618", + "Operator":"<" + } + ], + "Description":"Missing escaping of HTML in the Updater of Nextcloud 15.0.5 allowed a reflected XSS when starting the updater from a malicious location.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Nikita Tikhomirov", + "Mail": "nstikhomirov@gmail.com", + "Company": "Pentest Generation", + "Website": "https://nstikhomirov.me/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 15.0.6." +} diff --git a/old/server/nc-sa-2020-008.json b/old/server/nc-sa-2020-008.json new file mode 100644 index 0000000..ac75f50 --- /dev/null +++ b/old/server/nc-sa-2020-008.json @@ -0,0 +1,31 @@ +{ + "Title": "Improper neutralization of item names in projects feature", + "Timestamp": 1564358400, + "Risk": 1, + "CVSS3": { + "score": 2.0, + "vector": "AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N" + }, + "CWE": { + "id": 79, + "name": "Improper Neutralization of Input During Web Page Generation" + }, + "HackerOne": 662204, + "Affected":[ + { + "Version":"16.0.4", + "CVE":"CVE-2019-15619", + "Operator":"<" + } + ], + "Description":"Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Tim Coen", + "Website": "https://security-consulting.icu/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 16.0.4." +} diff --git a/old/server/nc-sa-2020-012.json b/old/server/nc-sa-2020-012.json new file mode 100644 index 0000000..c066259 --- /dev/null +++ b/old/server/nc-sa-2020-012.json @@ -0,0 +1,43 @@ +{ + "Title": "Improper permission preservation on reshares", + "Timestamp": 1561593600, + "Risk": 2, + "CVSS3": { + "score": 6.4, + "vector": "AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H" + }, + "CWE": { + "id": 281, + "name": "Improper Preservation of Permissions" + }, + "HackerOne": 619484, + "Affected":[ + { + "Version":"16.0.2", + "CVE":"CVE-2019-15621", + "Operator":"<" + }, + { + "Version":"15.0.9", + "CVE":"CVE-2019-15621", + "Operator":"<" + }, + { + "Version":"14.0.13", + "CVE":"CVE-2019-15621", + "Operator":"<" + } + ], + "Description":"Improper permissions preservation in Nextcloud Server 16.0.1 causes sharees to be able to reshare with write permissions when sharing the mount point of a share they received, as a public link.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Phil Davis", + "Mail": "phil@jankaritech.com", + "Company": "JankariTech Pvt Ltd", + "Website": "https://jankaritech.com", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 16.0.2." +} diff --git a/old/server/nc-sa-2020-013.json b/old/server/nc-sa-2020-013.json new file mode 100644 index 0000000..e0f6b5a --- /dev/null +++ b/old/server/nc-sa-2020-013.json @@ -0,0 +1,40 @@ +{ + "Title": "Event details leaked when sharing a non-public calendar event", + "Timestamp": 1542240000, + "Risk": 1, + "CVSS3": { + "score": 4.8, + "vector": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N" + }, + "CWE": { + "id": 281, + "name": "Improper Preservation of Permissions" + }, + "HackerOne": 439828, + "Affected":[ + { + "Version":"14.0.4", + "CVE":"CVE-2020-8117", + "Operator":"<" + }, + { + "Version":"13.0.8", + "CVE":"CVE-2020-8117", + "Operator":"<" + }, + { + "Version":"12.0.13", + "CVE":"CVE-2020-8117", + "Operator":"<" + } + ], + "Description":"Improper preservation of permissions in Nextcloud Server 14.0.3 causes the event details to be leaked when sharing a non-public event.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "NA", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 14.0.4." +} diff --git a/old/server/nc-sa-2020-014.json b/old/server/nc-sa-2020-014.json new file mode 100644 index 0000000..d52c96e --- /dev/null +++ b/old/server/nc-sa-2020-014.json @@ -0,0 +1,41 @@ +{ + "Title": "SSRF protection bypass in calendar subscriptions", + "Timestamp": 1576108800, + "Risk": 1, + "CVSS3": { + "score": 6.3, + "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + "CWE": { + "id": 918, + "name": "Server-Side Request Forgery (SSRF)" + }, + "HackerOne": 736867, + "Affected":[ + { + "Version":"17.0.2", + "CVE":"CVE-2020-8138", + "Operator":"<" + }, + { + "Version":"16.0.7", + "CVE":"CVE-2020-8138", + "Operator":"<" + }, + { + "Version":"15.0.14", + "CVE":"CVE-2020-8138", + "Operator":"<" + } + ], + "Description":"A missing check for IPv4 nested inside IPv6 in Nextcloud server 17.0.1 allowed a SSRF when subscribing to a malicious calendar URL.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Tim Coen", + "Website": "https://security-consulting.icu/blog/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud server is upgraded to 17.0.2." +} diff --git a/old/server/nc-sa-2020-015.json b/old/server/nc-sa-2020-015.json new file mode 100644 index 0000000..6b611ee --- /dev/null +++ b/old/server/nc-sa-2020-015.json @@ -0,0 +1,40 @@ +{ + "Title": "Secure view shares can be downloaded by manipulating the URL", + "Timestamp": 1581033600, + "Risk": 1, + "CVSS3": { + "score": 0.0, + "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N" + }, + "CWE": { + "id": 284, + "name": "Improper Access Control - Generic" + }, + "HackerOne": 788257, + "Affected":[ + { + "Version":"18.0.1", + "CVE":"CVE-2020-8139", + "Operator":"<" + }, + { + "Version":"17.0.4", + "CVE":"CVE-2020-8139", + "Operator":"<" + }, + { + "Version":"16.0.9", + "CVE":"CVE-2020-8139", + "Operator":"<" + } + ], + "Description":"A missing access control check in Nextcloud Server 18.0.0 causes hide-download shares to be downloadable when appending /download to the URL.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "NA", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 18.0.1." +} diff --git a/old/server/nc-sa-2020-018.json b/old/server/nc-sa-2020-018.json new file mode 100644 index 0000000..8a3a38a --- /dev/null +++ b/old/server/nc-sa-2020-018.json @@ -0,0 +1,35 @@ +{ + "Title": "Missing ownership check on remote wipe endpoint", + "Timestamp": 1584532800, + "Risk": 1, + "CVSS3": { + "score": 7.7, + "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H" + }, + "CWE": { + "id": 639, + "name": "Insecure Direct Object Reference" + }, + "HackerOne": 819807, + "Affected":[ + { + "Version":"18.0.3", + "CVE":"CVE-2020-8154", + "Operator":"<" + }, + { + "Version":"17.0.5", + "CVE":"CVE-2020-8154", + "Operator":"<" + } + ], + "Description":"An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Tommy Suriel", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 18.0.3." +} diff --git a/old/server/nc-sa-2020-019.json b/old/server/nc-sa-2020-019.json new file mode 100644 index 0000000..ff216e7 --- /dev/null +++ b/old/server/nc-sa-2020-019.json @@ -0,0 +1,32 @@ +{ + "Title": "XSS in Files PDF viewer", + "Timestamp": 1584532800, + "Risk": 1, + "CVSS3": { + "score": 3.5, + "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" + }, + "CWE": { + "id": 79, + "name": "Cross-site Scripting (XSS) - Generic" + }, + "HackerOne": 819863, + "Affected":[ + { + "Version":"18.0.3", + "CVE":"CVE-2020-8155", + "Operator":"<" + } + ], + "Description":"An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Tripp Lyons", + "Mail": "tripplyons@gmail.com", + "Website": "https://tripplyons.com/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 18.0.3." +} diff --git a/old/server/nc-sa-2020-023.json b/old/server/nc-sa-2020-023.json new file mode 100644 index 0000000..9155c69 --- /dev/null +++ b/old/server/nc-sa-2020-023.json @@ -0,0 +1,40 @@ +{ + "Title": "Increase random used for encryption", + "Timestamp": 1591272000, + "Risk": 1, + "CVSS3": { + "score": 2.2, + "vector": "AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N" + }, + "CWE": { + "id": 310, + "name": "Cryptographic Issues - Generic" + }, + "HackerOne": 852841, + "Affected":[ + { + "Version":"19.0.0", + "CVE":"CVE-2020-8173", + "Operator":"<" + }, + { + "Version":"18.0.5", + "CVE":"CVE-2020-8173", + "Operator":"<" + }, + { + "Version":"17.0.7", + "CVE":"CVE-2020-8173", + "Operator":"<" + } + ], + "Description":"A too small set of random characters being used for encryption in Nextcloud Server 18.0.4 allowed decryption in shorter time than intended.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Lynn Stephenson", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 19.0.0." +} diff --git a/old/server/nc-sa-2020-026.json b/old/server/nc-sa-2020-026.json new file mode 100644 index 0000000..0e79ea9 --- /dev/null +++ b/old/server/nc-sa-2020-026.json @@ -0,0 +1,37 @@ +{ + "Title": "Password of share by mail is not hashed when given on the create share call", + "Timestamp": 1591272000, + "Risk": 1, + "CVSS3": { + "score": 5.0, + "vector": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + "CWE": { + "id": 256, + "name": "Plaintext Storage of a Password" + }, + "HackerOne": 885041, + "Affected":[ + { + "Version":"19.0.1", + "CVE":"CVE-2020-8183", + "Operator":"<" + }, + { + "Version":"18.0.6", + "CVE":"CVE-2020-8183", + "Operator":"<" + } + ], + "Description":"A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "N/A", + "Company": "Nextcloud GmbH", + "Website": "https://nextcloud.com/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 19.0.1." +} diff --git a/old/server/nc-sa-2020-029.json b/old/server/nc-sa-2020-029.json new file mode 100644 index 0000000..8b528e4 --- /dev/null +++ b/old/server/nc-sa-2020-029.json @@ -0,0 +1,41 @@ +{ + "Title": "Re-Sharing allows increase of privileges", + "Timestamp": 1594900800, + "Risk": 1, + "CVSS3": { + "score": 5.5, + "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L" + }, + "CWE": { + "id": 269, + "name": "Improper Privilege Management" + }, + "HackerOne": 889243, + "Affected":[ + { + "Version":"19.0.1", + "CVE":"CVE-2020-8223", + "Operator":"<" + }, + { + "Version":"18.0.7", + "CVE":"CVE-2020-8223", + "Operator":"<" + }, + { + "Version":"17.0.8", + "CVE":"CVE-2020-8223", + "Operator":"<" + } + ], + "Description":"A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to reshare with higher permissions than they got assigned themselves.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Dr. Alexander Fleischer", + "Company": "TU Ilmenau", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 19.0.1." +} diff --git a/old/server/nc-sa-2020-037.json b/old/server/nc-sa-2020-037.json new file mode 100644 index 0000000..a0fe9d9 --- /dev/null +++ b/old/server/nc-sa-2020-037.json @@ -0,0 +1,33 @@ +{ + "Title": "PIN for passwordless WebAuthn is asked for but not verified", + "Timestamp": 1598356800, + "Risk": 1, + "CVSS3": { + "score": 4.3, + "vector": "AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + "CWE": { + "id": 287, + "name": "Improper Authentication - Generic" + }, + "HackerOne": 924393, + "Affected":[ + { + "Version":"19.0.2", + "CVE":"CVE-2020-8236", + "Operator":"<" + } + ], + "Description":"A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless WebAuthn is also a two factor verification by asking for the PIN of the passwordless WebAuthn but not verifying it.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Dominik Schürmann", + "Mail": "contact@cotech.de", + "Company": "COTECH", + "Website": "https://www.cotech.de/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 19.0.2." +} diff --git a/old/server/nc-sa-2020-038.json b/old/server/nc-sa-2020-038.json new file mode 100644 index 0000000..aaf27f8 --- /dev/null +++ b/old/server/nc-sa-2020-038.json @@ -0,0 +1,43 @@ +{ + "Title": "Message Authentication Codes calculated by the Default Encryption Module allow an attacker to silently overwrite blocks in a file", + "Timestamp": 1598400000, + "Risk": 1, + "CVSS3": { + "score": 1.8, + "vector": "AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N" + }, + "CWE": { + "id": 657, + "name": "Violation of Secure Design Principles" + }, + "HackerOne": 661051, + "Affected":[ + { + "Version":"19.0.2", + "CVE":"CVE-2020-8133", + "Operator":"<" + }, + { + "Version":"18.0.8", + "CVE":"CVE-2020-8133", + "Operator":"<" + }, + { + "Version":"17.0.10", + "CVE":"CVE-2020-8133", + "Operator":"<" + } + ], + "Description":"A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Kevin \"Kenny\" Niehage", + "Mail": "kenny@syseleven.de", + "Company": "SysEleven GmbH", + "Website": "https://www.syseleven.de/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 19.0.2." +} diff --git a/old/server/nc-sa-2020-039.json b/old/server/nc-sa-2020-039.json new file mode 100644 index 0000000..7d29f4a --- /dev/null +++ b/old/server/nc-sa-2020-039.json @@ -0,0 +1,33 @@ +{ + "Title": "Downgrade encryption scheme and break integrity through known-plaintext attack", + "Timestamp": 1598400000, + "Risk": 1, + "CVSS3": { + "score": 5.3, + "vector": "AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N" + }, + "CWE": { + "id": 310, + "name": "Cryptographic Issues - Generic" + }, + "HackerOne": 742588, + "Affected":[ + { + "Version":"19.0.2", + "CVE":"CVE-2020-8150", + "Operator":"<" + } + ], + "Description":"A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Kevin \"Kenny\" Niehage", + "Mail": "kenny@syseleven.de", + "Company": "SysEleven GmbH", + "Website": "https://www.syseleven.de/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 19.0.2." +} diff --git a/old/server/nc-sa-2020-040.json b/old/server/nc-sa-2020-040.json new file mode 100644 index 0000000..fecc458 --- /dev/null +++ b/old/server/nc-sa-2020-040.json @@ -0,0 +1,33 @@ +{ + "Title": "Improper confidentiality protection of server-side encryption keys", + "Timestamp": 1601726400, + "Risk": 1, + "CVSS3": { + "score": 5.3, + "vector": "AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N" + }, + "CWE": { + "id": 522, + "name": "Insufficiently Protected Credentials" + }, + "HackerOne": 743505, + "Affected":[ + { + "Version":"20.0.0", + "CVE":"CVE-2020-8152", + "Operator":"<" + } + ], + "Description":"Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the public key to decrypt them later on.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Kevin \"Kenny\" Niehage", + "Mail": "kenny@syseleven.de", + "Company": "SysEleven GmbH", + "Website": "https://www.syseleven.de/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 20.0.0." +} diff --git a/old/server/nc-sa-2020-041.json b/old/server/nc-sa-2020-041.json new file mode 100644 index 0000000..8b1f14c --- /dev/null +++ b/old/server/nc-sa-2020-041.json @@ -0,0 +1,33 @@ +{ + "Title": "Improper integrity protection of server-side encryption keys", + "Timestamp": 1601726400, + "Risk": 1, + "CVSS3": { + "score": 7.4, + "vector": "AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" + }, + "CWE": { + "id": 522, + "name": "Insufficiently Protected Credentials" + }, + "HackerOne": 732431, + "Affected":[ + { + "Version":"20.0.0", + "CVE":"CVE-2020-8259", + "Operator":"<" + } + ], + "Description":"Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the encryption keys.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Kevin \"Kenny\" Niehage", + "Mail": "kenny@syseleven.de", + "Company": "SysEleven GmbH", + "Website": "https://www.syseleven.de/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 20.0.0." +} diff --git a/old/server/nc-sa-2021-001.json b/old/server/nc-sa-2021-001.json new file mode 100644 index 0000000..b1b4f43 --- /dev/null +++ b/old/server/nc-sa-2021-001.json @@ -0,0 +1,41 @@ +{ + "Title": "Potential DDoS when posting long data into workflow validation rules", + "Timestamp": 1605700800, + "Risk": 1, + "CVSS3": { + "score": 5.7, + "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H" + }, + "CWE": { + "id": 400, + "name": "Denial of Service" + }, + "HackerOne": 1018146, + "Affected":[ + { + "Version":"20.0.2", + "CVE":"CVE-2020-8293", + "Operator":"<" + }, + { + "Version":"19.0.5", + "CVE":"CVE-2020-8293", + "Operator":"<" + }, + { + "Version":"18.0.11", + "CVE":"CVE-2020-8293", + "Operator":"<" + } + ], + "Description":"A missing input validation in Nextcloud Server 20.0.1 allowed users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Mohamed Dief", + "Website": "https://twitter.com/DemoniaSlash", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 20.0.2." +} diff --git a/old/server/nc-sa-2021-002.json b/old/server/nc-sa-2021-002.json new file mode 100644 index 0000000..c71d118 --- /dev/null +++ b/old/server/nc-sa-2021-002.json @@ -0,0 +1,41 @@ +{ + "Title": "Stored XSS in markdown file with Nextcloud Talk using Internet Explorer", + "Timestamp": 1605700800, + "Risk": 1, + "CVSS3": { + "score": 3.0, + "vector": "AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N" + }, + "CWE": { + "id": 79, + "name": "Cross-site Scripting (XSS) - Stored" + }, + "HackerOne": 1023787, + "Affected":[ + { + "Version":"20.0.2", + "CVE":"CVE-2020-8294", + "Operator":"<" + }, + { + "Version":"19.0.5", + "CVE":"CVE-2020-8294", + "Operator":"<" + }, + { + "Version":"18.0.11", + "CVE":"CVE-2020-8294", + "Operator":"<" + } + ], + "Description":"A missing link validation in Nextcloud Server 20.0.1 allowed to execute a stored XSS attack on Internet Explorer users by saving a javascript url in a Markdown.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Luis Teixeira", + "Website": "luis@teix.co", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 20.0.2." +} diff --git a/old/server/nc-sa-2021-003.json b/old/server/nc-sa-2021-003.json new file mode 100644 index 0000000..c15c622 --- /dev/null +++ b/old/server/nc-sa-2021-003.json @@ -0,0 +1,32 @@ +{ + "Title": "Denial of Service by requesting to reset a password", + "Timestamp": 1601726400, + "Risk": 1, + "CVSS3": { + "score": 7.5, + "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "CWE": { + "id": 400, + "name": "Denial of Service" + }, + "HackerOne": 812754, + "Affected":[ + { + "Version":"20.0.0", + "CVE":"CVE-2020-8295", + "Operator":"<" + } + ], + "Description":"A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Jesús Ramos", + "Mail": "contact.makerlab@gmail.com", + "Website": "https://makerlab.sytes.net/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 20.0.0." +} diff --git a/old/server/nc-sa-2021-004.json b/old/server/nc-sa-2021-004.json new file mode 100644 index 0000000..a4185b0 --- /dev/null +++ b/old/server/nc-sa-2021-004.json @@ -0,0 +1,32 @@ +{ + "Title": "External storage credentials stored for wrong user", + "Timestamp": 1611572400, + "Risk": 1, + "CVSS3": { + "score": 8.7, + "vector": "AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N" + }, + "CWE": { + "id": 284, + "name": "Improper Access Control - Generic" + }, + "HackerOne": 1061591, + "Affected":[ + { + "Version":"20.0.6", + "CVE":"CVE-2021-22877", + "Operator":"<" + } + ], + "Description":"A missing user check in Nextcloud 20.0.5 and prior allowed to populate your own credentials for other users external storage configuration when they did not configure one yet.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Alexander Hofstätter", + "Company": "Hofstätter IT GmbH", + "Website": "https://hofstaetter.io", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 20.0.6." +} diff --git a/old/server/nc-sa-2021-005.json b/old/server/nc-sa-2021-005.json new file mode 100644 index 0000000..b10182c --- /dev/null +++ b/old/server/nc-sa-2021-005.json @@ -0,0 +1,32 @@ +{ + "Title": "Reflected XSS when renaming malicious file", + "Timestamp": 1611572400, + "Risk": 1, + "CVSS3": { + "score": 5.3, + "vector": "AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:L" + }, + "CWE": { + "id": 79, + "name": "Cross-site Scripting (XSS) - Reflected" + }, + "HackerOne": 896522, + "Affected":[ + { + "Version":"20.0.6", + "CVE":"CVE-2021-22878", + "Operator":"<" + } + ], + "Description":"Missing sanitization in Nextcloud Server 20.0.5 and prior allowed to perform a reflected XSS when saving html as file name and causing an error on rename e.g. by renaming to an existing file. The risk is mostly mitigated due to the strict Content-Security-Policy (CSP) of Nextcloud, and thus mainly targets browsers not supporting CSP such as Internet Explorer.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Zhouyuan Yang", + "Company": "Fortinet", + "Website": "https://www.fortiguard.com/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 20.0.6." +} diff --git a/old/server/nc-sa-2021-006.json b/old/server/nc-sa-2021-006.json new file mode 100644 index 0000000..0d5e183 --- /dev/null +++ b/old/server/nc-sa-2021-006.json @@ -0,0 +1,31 @@ +{ + "Title": "External storage app saves password for all users in the database", + "Timestamp": 1601719200, + "Risk": 1, + "CVSS3": { + "score": 5.3, + "vector": "AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:L" + }, + "CWE": { + "id": 257, + "name": "Storing Passwords in a Recoverable Format" + }, + "HackerOne": 867164, + "Affected":[ + { + "Version":"20.0.0", + "CVE":"CVE-2020-8296", + "Operator":"<" + } + ], + "Description":"A missing condition in Nextcloud Server 19 and prior caused the external storage app to always store the users password in a recoverable format.", + "ActionTaken": "The error has been fixed. Incorrectly stored passwords have been automatically cleaned-up from your database.", + "Acknowledgment":[ + { + "Name": "Anderson Luiz Alves", + "Mail": "alacn1@gmail.com", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 20.0.0." +} diff --git a/old/social/nc-sa-2020-042.json b/old/social/nc-sa-2020-042.json new file mode 100644 index 0000000..20aba61 --- /dev/null +++ b/old/social/nc-sa-2020-042.json @@ -0,0 +1,31 @@ +{ + "Title": "Improper access control to messages of Social app", + "Timestamp": 1602763200, + "Risk": 1, + "CVSS3": { + "score": 5.0, + "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" + }, + "CWE": { + "id": 284, + "name": "Improper Access Control - Generic" + }, + "HackerOne": 921717, + "Affected":[ + { + "Version":"0.4.0", + "CVE":"CVE-2020-8278", + "Operator":"<" + } + ], + "Description":"Improper access control in Social app 0.3.1 allowed to read posts of any user.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Roger Meyer", + "Website": "https://twitter.com/sanktjodel", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Social app is upgraded to 0.4.0." +} diff --git a/old/social/nc-sa-2020-043.json b/old/social/nc-sa-2020-043.json new file mode 100644 index 0000000..75f805c --- /dev/null +++ b/old/social/nc-sa-2020-043.json @@ -0,0 +1,31 @@ +{ + "Title": "Social App does not validate server certificates for outgoing connections", + "Timestamp": 1602763200, + "Risk": 1, + "CVSS3": { + "score": 5.4, + "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + }, + "CWE": { + "id": 295, + "name": "Improper Certificate Validation" + }, + "HackerOne": 915585, + "Affected":[ + { + "Version":"0.4.0", + "CVE":"CVE-2020-8279", + "Operator":"<" + } + ], + "Description":"Missing validation of server certificates for out-going connections allowed a man-in-the-middle attack.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Roger Meyer", + "Website": "https://twitter.com/sanktjodel", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Social app is upgraded to 0.4.0." +} diff --git a/old/talk/nc-sa-2018-009.json b/old/talk/nc-sa-2018-009.json new file mode 100644 index 0000000..bac4f23 --- /dev/null +++ b/old/talk/nc-sa-2018-009.json @@ -0,0 +1,31 @@ +{ + "Title": "Stored XSS in autocomplete suggestions for chat @-mentions", + "Timestamp": 1533902400, + "Risk": 1, + "CVSS3": { + "score": 0.0, + "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:N" + }, + "CWE": { + "id": 79, + "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + }, + "Affected":[ + { + "Version":"3.2.5", + "CVE":"CVE-2018-3781", + "Operator":"<" + } + ], + "Description":"A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Joas Schilling", + "Mail": "coding@schilljs.com", + "Company": "Nextcloud GmbH", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Talk app is upgraded to 3.2.5." +} diff --git a/old/talk/nc-sa-2020-009.json b/old/talk/nc-sa-2020-009.json new file mode 100644 index 0000000..429cf61 --- /dev/null +++ b/old/talk/nc-sa-2020-009.json @@ -0,0 +1,31 @@ +{ + "Title": "Improper neutralization of item names in projects feature", + "Timestamp": 1564358400, + "Risk": 1, + "CVSS3": { + "score": 2.0, + "vector": "AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N" + }, + "CWE": { + "id": 79, + "name": "Improper Neutralization of Input During Web Page Generation" + }, + "HackerOne": 662204, + "Affected":[ + { + "Version":"6.0.4", + "CVE":"CVE-2019-15619", + "Operator":"<" + } + ], + "Description":"Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Tim Coen", + "Website": "https://security-consulting.icu/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Talk is upgraded to 6.0.4." +} diff --git a/old/talk/nc-sa-2020-011.json b/old/talk/nc-sa-2020-011.json new file mode 100644 index 0000000..ed9562b --- /dev/null +++ b/old/talk/nc-sa-2020-011.json @@ -0,0 +1,31 @@ +{ + "Title": "Name of private conversations leaked when linked via projects to a shared item", + "Timestamp": 1564358400, + "Risk": 1, + "CVSS3": { + "score": 2.0, + "vector": "AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" + }, + "CWE": { + "id": 284, + "name": "Improper Access Control" + }, + "HackerOne": 662218, + "Affected":[ + { + "Version":"6.0.4", + "CVE":"CVE-2019-15620", + "Operator":"<" + } + ], + "Description":"Improper access control in Nextcloud Talk 6.0.3 leaks the existance and the name of private conversations when linked them to another shared item via the projects feature.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Tim Coen", + "Website": "https://security-consulting.icu/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Talk 6.0.3 is upgraded to 6.0.4." +} diff --git a/old/talk/nc-sa-2020-021.json b/old/talk/nc-sa-2020-021.json new file mode 100644 index 0000000..4b5deae --- /dev/null +++ b/old/talk/nc-sa-2020-021.json @@ -0,0 +1,40 @@ +{ + "Title": "Code injection possible with malformed Nextcloud Talk chat commands", + "Timestamp": 1587384000, + "Risk": 1, + "CVSS3": { + "score": 8.0, + "vector": "AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H" + }, + "CWE": { + "id": 94, + "name": "Code Injection" + }, + "HackerOne": 851807, + "Affected":[ + { + "Version":"8.0.8", + "CVE":"CVE-2020-8180", + "Operator":"<" + }, + { + "Version":"7.0.3", + "CVE":"CVE-2020-8180", + "Operator":"<" + }, + { + "Version":"6.0.5", + "CVE":"CVE-2020-8180", + "Operator":"<" + } + ], + "Description":"A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk command was added by an administrator.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Spectre", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Talk is upgraded to 8.0.8." +} |