Nextcloud


Most disclosed vulnerability type (39 disclosures) — Violation of Secure Design Principles

ahsan has disclosed the most with 7 reports!

208 total issues disclosed

$16,608 total paid publicly


Accepts reports via HackerOne

Nextcloud's top public payouts




Most recently disclosed


Leaked of Profile Image from URL changing

@ Submitted by myat_htut_kyaw
Bug Type: None supplied

Disclosed on 2020-11-17

Rating: No rating


Social App does not validate server certificates for outgoing connections

@ Submitted by sanktjodel
Bug Type: Improper Certificate Validation

Disclosed on 2020-11-17

Rating: Medium


Message Authentication Codes calculated by the Default Encryption Module allow an attacker to silently overwrite blocks in a file

@ Submitted by yahe
Bug Type: Violation of Secure Design Principles

Disclosed on 2020-11-05

Rating: Low


Downgrade encryption scheme and break integrity through known-plaintext attack

@ Submitted by yahe
Bug Type: Cryptographic Issues - Generic

Disclosed on 2020-11-05

Rating: Medium


No rate limiting for confirmation email lead to huge Mass mailings

@ Submitted by kittytrace
Bug Type: Business Logic Errors

Disclosed on 2020-11-04

Rating: Medium


PIN for passwordless WebAuthn is asked for but not verified

@ Submitted by dschuermann
Bug Type: Improper Authentication - Generic

Disclosed on 2020-10-28

Rating: Medium


The password of a mail share is not hashed if the password is given when the share is created

@ Submitted by daniel_calvino_sanchez
Bug Type: Plaintext Storage of a Password

Disclosed on 2020-10-28

Rating: Low


Reduced purmations on encryption

@ Submitted by lynn-stephenson
Bug Type: Cryptographic Issues - Generic

Disclosed on 2020-10-28

Rating: Low


Bypass hide download Nextcloud Share

@ Submitted by shiniko
Bug Type: Business Logic Errors

Disclosed on 2020-10-05

Rating: High


Recently change email but still login with old email

@ Submitted by dream_changer
Bug Type: Improper Authentication - Generic

Disclosed on 2020-09-29

Rating: High


Access control missing while viewing the attachments in the "All boards"

@ Submitted by divyesh01
Bug Type: Insecure Direct Object Reference (IDOR)

Disclosed on 2020-09-29

Rating: Medium


Missing server side controls when editing the board’s sharing permissions per user

@ Submitted by warsocks
Bug Type: Improper Access Control - Generic

Disclosed on 2020-09-28

Rating: High


No rate limiting on sinup page

@ Submitted by xam24
Bug Type: Business Logic Errors

Disclosed on 2020-09-28

Rating: Low


Re-Sharing allows increase of privileges

@ Submitted by alx_il
Bug Type: Improper Privilege Management

Disclosed on 2020-09-28

Rating: Medium


Stored XSS in collabora via user name

@ Submitted by meliodas19
Bug Type: Cross-site Scripting (XSS) - Stored

Disclosed on 2020-09-19

Rating: Low