Nextcloud


238 total issues disclosed

$33,083 total paid publicly


Most disclosed (39 disclosures) — Violation of Secure Design Principles

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
End to end encryption public key is not properly verified on Desktop and Android None supplied rtod Medium 2021-09-23
Clients do not verify server public key None supplied rtod Low 2021-09-23
Bypass of privacy filter / tracking pixel blocker Information Disclosure foobar7 Medium 2021-08-11
public webdav endpoint not bruteforce protected None supplied rtod Low 2021-08-11
index.php/apps/files_sharing/shareinfo endpoint is not properly protected Denial of Service rtod Medium 2021-08-11
Add to your nextcloud endpoint is not properly protected None supplied rtod Low 2021-08-11
ApiService#fetch serves content as text/html and inline Content-Disposition Cross-site Scripting (XSS) - Stored lukasreschkenc No rating 2021-08-11
Text app leaks file path of shared files Information Disclosure lukasreschkenc Low 2021-08-11
Download of file with arbitrary extension via injection into attachment header Code Injection foobar7 Medium 2021-08-11
Ratelimits do not apply to OCS DataResponse Brute Force lukasreschkenc None 2021-08-11
Virtual Data Room / Hide download on collabora is easy to bypass Improper Access Control - Generic rtod High 2021-08-07
Webauthn tokens are not removed on user deletion Improper Access Control - Generic rtod Medium 2021-08-07
Two-factor authentication enforcement bypass None supplied abdullah-a High 2021-07-31
Leak arbitrary file under nextcloud android client privacy directory None supplied wester0x01 Medium 2021-07-17
Ransomware protection is missing extentions take 2 None supplied rtod Low 2021-07-16
User deletion is not handled properly everywhere None supplied rtod Medium 2021-07-15
Scoped apptokens can be changed by that very apptoken Improper Access Control - Generic rtod High 2021-07-15
Admin audit is not properly logging unsetting of expiration date None supplied rtod Low 2021-07-15
Ratelimiting can be bypassed using IPv6 subnets Brute Force sjw Low 2021-07-01
Session fixation on public talk links Session Fixation rtod Medium 2021-06-16
Android app does not clear end to end encryption keys None supplied rtod Low 2021-06-16
Default Nextcloud Server and Android Client leak sharee searches to Nextcloud Improper Access Control - Generic rtod Low 2021-06-15
File drop public link can also be converted to federated share Improper Access Control - Generic rtod Low 2021-06-10
Trusted servers exchange can be triggered by attacker Improper Access Control - Generic rtod Medium 2021-06-10
Default settings leak federated cloud id to lookup server of all users Information Disclosure rtod Low 2021-06-10
Attacker can obtain write access to any federated share/public link Improper Authentication - Generic rtod High 2021-06-10
SSL certificate not validated when registering with a provider Cryptographic Issues - Generic icewater Medium 2021-06-02
Nextcloud Desktop Client RCE via malicious URI schemes Resource Injection 7a69 Medium 2021-04-15
Social App does not validate server certificates for outgoing connections Improper Certificate Validation sanktjodel Medium 2020-11-17
Leaked of Profile Image from URL changing None supplied myat_htut_kyaw No rating 2020-11-17
Improper access control to messages of Social app Improper Access Control - Generic sanktjodel Medium 2020-11-17
Message Authentication Codes calculated by the Default Encryption Module allow an attacker to silently overwrite blocks in a file Violation of Secure Design Principles yahe Low 2020-11-05
Downgrade encryption scheme and break integrity through known-plaintext attack Cryptographic Issues - Generic yahe Medium 2020-11-05
No rate limiting for confirmation email lead to huge Mass mailings Business Logic Errors kittytrace Medium 2020-11-04
Reduced purmations on encryption Cryptographic Issues - Generic lynn-stephenson Low 2020-10-28
The password of a mail share is not hashed if the password is given when the share is created Plaintext Storage of a Password daniel_calvino_sanchez Low 2020-10-28
PIN for passwordless WebAuthn is asked for but not verified Improper Authentication - Generic dschuermann Medium 2020-10-28
Bypass hide download Nextcloud Share Business Logic Errors shiniko High 2020-10-05
Recently change email but still login with old email Improper Authentication - Generic dream_changer High 2020-09-29
Access control missing while viewing the attachments in the "All boards" Insecure Direct Object Reference (IDOR) divyesh01 Medium 2020-09-29
Re-Sharing allows increase of privileges Improper Privilege Management alx_il Medium 2020-09-28
Missing server side controls when editing the board’s sharing permissions per user Improper Access Control - Generic warsocks High 2020-09-28
No rate limiting on sinup page Business Logic Errors xam24 Low 2020-09-28
Stored XSS in collabora via user name Cross-site Scripting (XSS) - Stored meliodas19 Low 2020-09-19
Clear text storage of proxy parameters and passwords Cleartext Storage of Sensitive Information rbcafe Low 2020-09-16
Possible denial of service when entering a loooong password Brute Force guoxuxin Medium 2020-09-16
Linux client is vulnerable to directory traversal when downloading files Path Traversal icewater Medium 2020-08-17
XSS in desktop client via invalid server address on login form Cross-site Scripting (XSS) - Generic jplopezy Medium 2020-08-17
RTLO character allowed in shared files UI Redressing (Clickjacking) inhibitor181 Medium 2020-08-17
Missing memory corruption protection on Windows release built Memory Corruption - Generic secconsult Medium 2020-08-14
Memory Leak in OCUtil.dll library in Desktop client can lead to DoS Denial of Service cwave Medium 2020-08-06
Arbitrary code execution in desktop client via OpenSSL config Code Injection l00ph0le Medium 2020-08-05
XSS in image metadata field Cross-site Scripting (XSS) - Stored yzy9951 Medium 2020-08-05
Anonymous file drop page ignores user profile visibility restrictions Information Disclosure pshknst No rating 2020-08-03
Possible denial of service when entering a loooong password Brute Force xcheater Medium 2020-07-29
Contacts menu (not app) fails to restrict (to local groups) for contacts from federated servers Information Disclosure nursoda Low 2020-07-25
Non-admin users can trigger writes to memcached by entering a malicious server as a share URL CRLF Injection jmdx Medium 2020-07-09
Unrestricted file upload on the image of contacts Business Logic Errors hitman_47 Low 2020-07-08
PHPUnit is included in groupfolders release package potentially causing RCE None supplied ledfan No rating 2020-06-25
Cross site scripting - XSRF Token Cross-site Scripting (XSS) - Generic a9hora Medium 2020-06-14
Mail does not verify IMAP/SMTP host connected via TLS Improper Certificate Validation christophwurst Medium 2020-06-03
Allows any user to share their "Root" level folder by sharing "." Improper Access Control - Generic chevonphillip None 2020-06-03
Code injection possible with malformed Nextcloud Talk chat commands Code Injection covert-spectre High 2020-06-02
Code injection possible with malformed Nextcloud Talk chat commands Code Injection covert-spectre High 2020-06-02
XSS in PDF Viewer Cross-site Scripting (XSS) - Generic skewbed Low 2020-05-24
Missing ownership check on remote wipe endpoint Insecure Direct Object Reference (IDOR) hitman_47 High 2020-04-19
User can delete data in shared folders he's not autorized to access Improper Access Control - Generic jlord87 Medium 2020-04-10
Code injection in macOS Desktop Client Code Injection r3ggi-on-h1 Low 2020-04-10
"Secure View" aka "Hide Download" can be bypassed easily Improper Access Control - Generic at5djl3pwjmunyutnoatp High 2020-04-10
Self xss Cross-site Scripting (XSS) - Generic iwallplace Low 2020-04-05
potential RCE and XSS via file upload requiring user account and default settings Code Injection rcejules High 2020-04-01
Docker image with FPM is vulnerable to CVE-2019-11043 Code Injection beched Critical 2020-03-14
SSRF protection bypass Server-Side Request Forgery (SSRF) foobar7 Medium 2020-03-14
Only the file extensions are checked, not the MIME types as configured None supplied teaport Medium 2020-03-14
Remote code execution via path traversal in Zip extraction in the Extract app Path Traversal emilvirkki High 2020-03-07
http://www.nextcloud.com/wp-includes/js/swfupload/swfupload.swf allows open redirect / site defacement Open Redirect todayisnew No rating 2020-03-07
[Reflected XSS] In Request URL Cross-site Scripting (XSS) - Reflected nstikhomirov Low 2020-03-01
Username and Access Token Disclousure Violation of Secure Design Principles jannikg Low 2020-03-01
User with read-only access to a share can gain write access to sub-folders in the share Privilege Escalation phil-davis Medium 2020-03-01
Persistent XSS via filename in projects Cross-site Scripting (XSS) - Stored foobar7 Low 2020-03-01
Access to all files of remote user through shared file Information Disclosure xuesheng Medium 2020-03-01
No session logout after changing password & alsoandroid sessions not shown in sessions list so they can be deleted Violation of Secure Design Principles whitehattushu No rating 2020-02-09
File-drop content is visible through the gallery app None supplied nursoda Medium 2020-01-31
Arbitrary SQL command injection SQL Injection leonklingele Critical 2019-07-21
Remote Code Execution via Extract App Plugin OS Command Injection hdbreaker High 2019-05-30
Session fixation in password protected public download. Session Fixation frankspierings Low 2018-10-25
Authentication Issue Improper Authentication - Generic bugdiscloseguys No rating 2018-10-25
twofactor_auth bypassable if provider fails to load Improper Authentication - Generic cyphar Low 2018-09-27
Shared file link - password protection bypass under certain conditions Information Disclosure icewater Medium 2018-09-25
Access control issue -- [Allow file system access not validated when using session auth] Improper Access Control - Generic born2hack Medium 2018-09-25
HTML injection with AutoComplete suggestions Cross-site Scripting (XSS) - Generic nickvergessen None 2018-08-10
[FG-VD-17-063] NextCloud Insufficient Attack Protection Vulnerability Notification Code Injection yzy9951 Low 2018-07-29
bypass of 2FA Improper Authentication - Generic kaysbugs High 2018-07-29
OAuth2 Access Token and App Password Security Vulnerability Use of a Key Past its Expiration Date noumar Medium 2018-07-21
Accessing to download.nextcloud.com from original ip adreess | insecure Download Cleartext Transmission of Sensitive Information iheb_hamad No rating 2018-07-12
The session token in the URL Information Disclosure mandark Medium 2018-06-19
File access control rules not enforced on image files Improper Access Control - Generic reinism Low 2018-06-15
Disclosed Version of PORTS SSH|HTTP|SSL Information Disclosure iheb_hamad Low 2018-06-14
Banner Grabbing - Apache Server Version Disclousure Information Disclosure cybertiger No rating 2018-05-17
Banner Grabbing - Apache Server Version Disclosure Information Disclosure kistimat No rating 2018-05-17
Information Exposure Through Directory Listing Information Exposure Through Directory Listing mobius07 None 2018-05-17
Possible RCE Command Injection - Generic paulos_ No rating 2018-03-08
Email Notification should be get while changing password on apps.nextcloud.com None supplied an0nym0us No rating 2018-02-28
Registered users can change app password permissions for any user Insecure Direct Object Reference (IDOR) icewater Low 2018-02-08
WordPress < 4.8.2 vulnerable to multiple attacks Violation of Secure Design Principles luckydivino Low 2017-09-27
IDOR unsubscribe Anyone from NextClouds Newsletters by knowing their Email Insecure Direct Object Reference (IDOR) babayaga_ Medium 2017-09-16
Wordpress Vulnerable to Potential Unauthorized Password Reset None supplied japz Low 2017-08-15
https://xmpp.nextcloud.com///;@www.google.com allows open redirect Open Redirect todayisnew No rating 2017-08-13
Directory Listing In Subdomain Of nextcloud.com Information Exposure Through Directory Listing xyberwolf Low 2017-07-14
ci.nextcloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service) Denial of Service js_whitehat High 2017-06-08
DOM XSS vulnerability in search dialogue (NC-SA-2017-007) Cross-site Scripting (XSS) - Generic pain_ Low 2017-06-07
Stored XSS in Gallery application (NC-SA-2017-010) Cross-site Scripting (XSS) - Generic lukasreschke Low 2017-06-06
Share tokens for public calendars disclosed (NC-SA-2017-011) Information Exposure Through Directory Listing lukasreschke Medium 2017-06-06
Missing Rate Limiting protection leading to mass triggering of e-mails Violation of Secure Design Principles giligails Medium 2017-06-05
Missing Rate Limit for Current Password field in nextcloud.com Improper Authentication - Generic sumitsahoo Low 2017-05-20
Privilege escalation - Normal user can somehow make admin to delete shared folders Privilege Escalation ayid High 2017-05-20
Dav sharing permissions issue Privilege Escalation nickvergessen Medium 2017-05-20
Clickjacking In https://demo.nextcloud.com UI Redressing (Clickjacking) xsszeeshan Critical 2017-05-20
Content spoofing due to the improper behavior of the 403 page Violation of Secure Design Principles t-pwn No rating 2017-05-18
Content spoofing due to the improper behavior of the 403 page None supplied t-pwn No rating 2017-05-18
Email Spoofing Vulnerability from nextcloud. None supplied cloudyvirus High 2017-05-18
Reflected XSS in error pages (NC-SA-2017-008) Cross-site Scripting (XSS) - Reflected sinkmanu Low 2017-05-15
Possible SSRF in email server settings(SMTP mode) Server-Side Request Forgery (SSRF) xifengweiyu Medium 2017-05-15
Content (Text) Injection at https://nextcloud.com Violation of Secure Design Principles xifengweiyu Low 2017-05-15
Nextcloud Server Remote Command Execution None supplied sniperpex High 2017-05-10
Limitation of app specific password scope can be bypassed (NC-SA-2017-009) Privilege Escalation makosdel Low 2017-05-08
Calendar and addressbook names disclosed (NC-SA-2017-012) Information Disclosure juliushaertl Low 2017-05-08
I am because bug None supplied b69b1b97b19c1c71b0eed85 Critical 2017-05-04
Content Spoofing/Text Injection in https://demo.nextcloud.com Violation of Secure Design Principles smit Low 2017-04-28
Update php-saml library to 2.10.5 Cryptographic Issues - Generic lukasreschke Low 2017-04-28
Cross Site Scripting None supplied lulliii No rating 2017-04-26
information disclose Information Disclosure abdul1ah No rating 2017-04-25
The email API to test email-server settings is unlimited and can be used as a email bomb Improper Access Control - Generic xifengweiyu Medium 2017-04-24
XSS on IOS app via HTML rendering Cross-site Scripting (XSS) - Stored bugdiscloseguys Low 2017-04-20
The email API to reset password is unlimited and can be used as a email bomb Improper Access Control - Generic xifengweiyu Low 2017-04-20
failure to invalidate session on password change Improper Authentication - Generic pradeepch99 No rating 2017-04-20
Information disclosure Information Disclosure amirisme No rating 2017-04-20
SSRF at apps.nextcloud.com/developer/apps/releases/new Server-Side Request Forgery (SSRF) t-pwn No rating 2017-04-20
GIT Detected Information Disclosure lulliii No rating 2017-04-20
bug reporting template encourages users to paste config file with passwords Information Disclosure hanno Medium 2017-04-19
CSRF token validation is missing Cross-Site Request Forgery (CSRF) 596a96cc7bf9108cd896f33c4 Medium 2017-04-19
Content Spoofing/Text Injection in nextcloud.com Violation of Secure Design Principles demo--hacker Low 2017-04-19
https://portal.nextcloud.com/.htaccess file is readable Information Disclosure sahilmk No rating 2017-04-14
Invalid request may lead content spoofing for phishing Violation of Secure Design Principles d4rk_g1rl No rating 2017-04-12
Design Issues on ( ███ ) Lead to show ( IPS of Users ) None supplied m7mdharoun Medium 2017-04-05
Android - Possible to intercept broadcasts about uploaded files Information Disclosure bagipro No rating 2017-03-23
Server version/OS type disclosure via HTTP Response Header None supplied ryudox Low 2017-03-23
Reflected XSS in U2F plugin by shipping the example endpoints Cross-site Scripting (XSS) - Generic lukasreschke High 2017-03-22
Bypassing quota limit Privilege Escalation nordin None 2017-03-10
Version 4.7.2 of wordpress is vulnerable None supplied demo--hacker High 2017-03-07
Content Spoofing in "files" app Violation of Secure Design Principles ahsan Low 2017-03-06
Group admin can remove user from all his groups via API None supplied nickvergessen None 2017-02-23
Review remote code execution in SwiftMailer Code Injection lukasreschke None 2017-02-18
xss for admin of https://newsletter.nextcloud.com Cross-site Scripting (XSS) - Generic sergeym No rating 2017-02-17
Drone Nextcloud None supplied rbcafe No rating 2017-02-12
User Information Disclosure via REST API Information Disclosure raunak2002 No rating 2017-02-11
Missing SPF Flags on nextcloud.com Violation of Secure Design Principles ph_spade No rating 2017-02-10
Bypass permissions Privilege Escalation secator Medium 2017-02-09
Filename enumeration && DoS Denial of Service secator Low 2017-02-09
Wordpress 4.7.1 None supplied rbcafe Low 2017-01-27
Email Spoofing Violation of Secure Design Principles khalidamin No rating 2017-01-25
Nextcloud.com is vulnerable to SWEET32 attack Cryptographic Issues - Generic pkkothawade No rating 2017-01-25
HTTP-Basic Authentication on logs.nextcloud.com Violation of Secure Design Principles rbcafe No rating 2017-01-17
Avatar image upload and bypass real image verification Violation of Secure Design Principles dremos No rating 2017-01-15
Disclosure of administrators via JSON on nextcloud.com Wordpress Information Disclosure rbcafe No rating 2017-01-13
WordPress <= 4.6.1 Stored XSS Via Theme File Cross-site Scripting (XSS) - Generic madrobot No rating 2017-01-13
Bad content-type in response header when getting document can lead to html injection Cross-site Scripting (XSS) - Generic trichimtrich Medium 2017-01-12
URI scheme bypass in mail app lead to HTML content spoof and opener control Violation of Secure Design Principles trichimtrich No rating 2017-01-12
Files Drop: WebDAV endpoint is leaking existence of resources Information Disclosure lukasreschke Low 2017-01-01
Stored XSS on new Calling plugin (spreed) Cross-site Scripting (XSS) - Generic coolboss High 2016-12-13
Share owner has no possibility to list all existing derived shares Improper Authentication - Generic detroitsmash No rating 2016-12-13
Password reset link remains valid after email change Improper Authentication - Generic rootxflood No rating 2016-12-13
[Nextcloud 9.0.53] Content Spoofing in 'trustDomain' parameter Violation of Secure Design Principles ahsan No rating 2016-12-05
Login Hints on Admin Panel Violation of Secure Design Principles madhur_bhargava Medium 2016-12-05
BruteForce in to Admin Account Improper Authentication - Generic hackerwahab High 2016-12-04
Wordpress Version Disclosure Bug On Nextcloud Information Disclosure cr4zyrud Low 2016-12-04
Reflected XSS in Gallery App Cross-site Scripting (XSS) - Generic soreks Medium 2016-12-03
\OCA\DAV\CardDAV\ImageExportPlugin allows serving arbitrary data with user-defined or empty mimetype Cross-site Scripting (XSS) - Generic lukasreschke Medium 2016-12-03
IDOR - Disable sharing Privilege Escalation dalt Low 2016-12-03
Content (Text) Injection at NextCloud Server 9.0.52 - via http://custom_nextcloud_url/remote.php/dav/files/ Violation of Secure Design Principles config Low 2016-12-02
xss on demo.nextcloud.com due to outdated version Cross-site Scripting (XSS) - Generic bm666 No rating 2016-11-26
More content spoofing through dir param in the files app Violation of Secure Design Principles lmx Low 2016-11-04
[Thirdparty] Stored XSS in chat module - nextcloud server 9.0.51 installed in ubuntu 14.0.4 LTS Cross-site Scripting (XSS) - Generic ayid Medium 2016-11-02
Content spoofing due to the improper behavior of the 403 page in Private Server Violation of Secure Design Principles ahsan None 2016-10-31
Content spoofing in lookup.nextcloud.com Violation of Secure Design Principles csanuragjain Low 2016-10-10
Slow Http attack on nextcloud(DOS) Denial of Service drosera No rating 2016-10-05
Arbitrary File Upload in Logo & Log in image Theming setting. Cross-site Scripting (XSS) - Generic bastianwelfrid No rating 2016-10-05
demo.nextcloud.com: Content spoofing due to default Apache Error Page Violation of Secure Design Principles sysecure No rating 2016-09-29
Password Reset Link issue Improper Authentication - Generic i1ackerone No rating 2016-09-23
Unauthenticated Stored xss Cross-site Scripting (XSS) - Generic spetr0x No rating 2016-09-13
Directory listening enabled in: 88.198.160.130 Information Disclosure sandh0t No rating 2016-09-04
Reflected Self-XSS Vulnerability in the Comment section of Files (Different-payloads) Cross-site Scripting (XSS) - Generic shivakumar143 No rating 2016-08-31
Content spoofing in cloud.nextcloud.com Violation of Secure Design Principles ahsan No rating 2016-08-30
demo.nextcloud.com: Content spoofing due to default Apache Error Page Violation of Secure Design Principles cutejoker No rating 2016-08-30
Reflected Self-XSS Vulnerability in the Comment section of Files Information Cross-site Scripting (XSS) - Generic naveenv No rating 2016-08-30
Content Injection - demo.nextcloud.com Violation of Secure Design Principles spodermen No rating 2016-08-26
Content Injection - apps.nextcloud.com Violation of Secure Design Principles spodermen No rating 2016-08-26
Information Disclosure of .htaccess file in Private Server/Subdomain Information Disclosure ahsan No rating 2016-08-26
Wordpress: Directory Traversal / Denial of Serivce Information Disclosure tbehroz No rating 2016-08-26
Expired SSL certificate Violation of Secure Design Principles goethe_ No rating 2016-08-25
Response Header injection using redirect_uri together with PHP that utilizes Header Folding according to RFC1945 and Internet Explorer 11 Violation of Secure Design Principles fransrosen No rating 2016-08-17
Bookmarks: Delete all existing bookmarks of a user Privilege Escalation ctee No rating 2016-08-08
help.nextcloud.com: Known DoS condition (null pointer deref) in Nginx running Denial of Service shoveller No rating 2016-07-27
Read-only share recipient can restore old versions of file Improper Authentication - Generic bugdiscloseguys No rating 2016-07-19
Log pollution can lead to HTML Injection. Cross-site Scripting (XSS) - Generic apok No rating 2016-07-19
Uploading files to a folder where invited user don't have any EDIT privilege Improper Authentication - Generic detroitsmash No rating 2016-07-19
Stored XSS on Share-popup of a directory's Gallery-view Cross-site Scripting (XSS) - Generic fransrosen No rating 2016-07-19
Nextcloud server software: Content Spoofing Violation of Secure Design Principles ishahriyar No rating 2016-07-19
newsletter.nextcloud.com: Bypass firewall protection Improper Authentication - Generic bug_cat No rating 2016-07-19
The application uses basic authentication. Improper Authentication - Generic roshanpty No rating 2016-07-18
nextcloud.com: Mail Bombing ( No Rate Limiting On Sending Emails On Contact us Page) Memory Corruption - Generic ashish_pathak No rating 2016-07-17
stats.nextcloud.com: Content Injection Violation of Secure Design Principles kiraak-boy No rating 2016-07-17
REG: Content provider information leakage Command Injection - Generic zeroknife No rating 2016-06-24
WordPress Vulnerabilities: User Enumeration, Vulnerable Akismet Plugin, XML-RPC Interface available Information Disclosure vivek-p No rating 2016-06-22
No Rate Limiting on stats.nextcloud.com login Violation of Secure Design Principles japz No rating 2016-06-22
Deny access to download.nextcloud.com + folders Information Disclosure thearmfox No rating 2016-06-21
Email ID Disclosure. Information Disclosure bugdiscloseguys No rating 2016-06-20
No rate limiting on password protected shared file link Improper Authentication - Generic johnd No rating 2016-06-20
No permission set on Activities [Android App] Improper Authentication - Generic gaurang No rating 2016-06-20
Bruteforcing help.nextcloud.com Improper Authentication - Generic japz No rating 2016-06-19
Lost Password CSRF Cross-Site Request Forgery (CSRF) mefkan No rating 2016-06-19
help.nextcloud Email Address/Username enumeration Information Disclosure japz No rating 2016-06-19
Enumeration of subscribed users and unauthenticated email unsubscriptions on https://newsletter.nextcloud.com/?p=unsubscribe Information Disclosure strukt No rating 2016-06-19
Bruteforce attack is possible on newsletter.nextcloud.com Improper Authentication - Generic koolacac No rating 2016-06-19
Content Injection in subdomain Violation of Secure Design Principles testest No rating 2016-06-19
Content injection in subdomain Violation of Secure Design Principles testest No rating 2016-06-19
Business/Functional logic bypass: Remove admins from admin group. Privilege Escalation paglababa No rating 2016-06-19
Content Spoofing/Text Injection - docs.nextcloud.org Violation of Secure Design Principles ahsan No rating 2016-06-19
Content Injection 404 page Violation of Secure Design Principles testest No rating 2016-06-19
No captcha on newsletter.nextcloudcom leaves vulnerable to email spammers Violation of Secure Design Principles aaron_costello No rating 2016-06-19
Content Spoofing Violation of Secure Design Principles ashish_pathak No rating 2016-06-19
https://newsletter.nextcloud.com Directory listening and Information Disclosure Information Disclosure mefkan No rating 2016-06-18
Directory Listing On download.nextcloud.com & Practical Attacks on PGP (Pretty Good Privacy) Cryptographic Issues - Generic 1337_inj3c70r No rating 2016-06-17
Server side request forgery (SSRF) on nextcloud implementation. None supplied paglababa No rating 2016-06-17
Vulnerable Javascript library Information Disclosure paulochoupina No rating 2016-06-17
help.nextcloud.com: Session Management Issue None supplied ahsan No rating 2016-06-17
nextcloud.com: Directory listening for 'wp-includes' forders Information Disclosure zuh4n No rating 2016-06-17
nextcloud.com: Content Injection Custom 404 Error Violation of Secure Design Principles geekboy No rating 2016-06-17