| End to end encryption public key is not properly verified on Desktop and Android |
None supplied |
rtod |
Medium |
2021-09-23 |
| Clients do not verify server public key |
None supplied |
rtod |
Low |
2021-09-23 |
| Bypass of privacy filter / tracking pixel blocker |
Information Disclosure |
foobar7 |
Medium |
2021-08-11 |
| public webdav endpoint not bruteforce protected |
None supplied |
rtod |
Low |
2021-08-11 |
| index.php/apps/files_sharing/shareinfo endpoint is not properly protected |
Denial of Service |
rtod |
Medium |
2021-08-11 |
| Add to your nextcloud endpoint is not properly protected |
None supplied |
rtod |
Low |
2021-08-11 |
| ApiService#fetch serves content as text/html and inline Content-Disposition |
Cross-site Scripting (XSS) - Stored |
lukasreschkenc |
No rating |
2021-08-11 |
| Text app leaks file path of shared files |
Information Disclosure |
lukasreschkenc |
Low |
2021-08-11 |
| Download of file with arbitrary extension via injection into attachment header |
Code Injection |
foobar7 |
Medium |
2021-08-11 |
| Ratelimits do not apply to OCS DataResponse |
Brute Force |
lukasreschkenc |
None |
2021-08-11 |
| Virtual Data Room / Hide download on collabora is easy to bypass |
Improper Access Control - Generic |
rtod |
High |
2021-08-07 |
| Webauthn tokens are not removed on user deletion |
Improper Access Control - Generic |
rtod |
Medium |
2021-08-07 |
| Two-factor authentication enforcement bypass |
None supplied |
abdullah-a |
High |
2021-07-31 |
| Leak arbitrary file under nextcloud android client privacy directory |
None supplied |
wester0x01 |
Medium |
2021-07-17 |
| Ransomware protection is missing extentions take 2 |
None supplied |
rtod |
Low |
2021-07-16 |
| User deletion is not handled properly everywhere |
None supplied |
rtod |
Medium |
2021-07-15 |
| Scoped apptokens can be changed by that very apptoken |
Improper Access Control - Generic |
rtod |
High |
2021-07-15 |
| Admin audit is not properly logging unsetting of expiration date |
None supplied |
rtod |
Low |
2021-07-15 |
| Ratelimiting can be bypassed using IPv6 subnets |
Brute Force |
sjw |
Low |
2021-07-01 |
| Session fixation on public talk links |
Session Fixation |
rtod |
Medium |
2021-06-16 |
| Android app does not clear end to end encryption keys |
None supplied |
rtod |
Low |
2021-06-16 |
| Default Nextcloud Server and Android Client leak sharee searches to Nextcloud |
Improper Access Control - Generic |
rtod |
Low |
2021-06-15 |
| File drop public link can also be converted to federated share |
Improper Access Control - Generic |
rtod |
Low |
2021-06-10 |
| Trusted servers exchange can be triggered by attacker |
Improper Access Control - Generic |
rtod |
Medium |
2021-06-10 |
| Default settings leak federated cloud id to lookup server of all users |
Information Disclosure |
rtod |
Low |
2021-06-10 |
| Attacker can obtain write access to any federated share/public link |
Improper Authentication - Generic |
rtod |
High |
2021-06-10 |
| SSL certificate not validated when registering with a provider |
Cryptographic Issues - Generic |
icewater |
Medium |
2021-06-02 |
| Nextcloud Desktop Client RCE via malicious URI schemes |
Resource Injection |
7a69 |
Medium |
2021-04-15 |
| Social App does not validate server certificates for outgoing connections |
Improper Certificate Validation |
sanktjodel |
Medium |
2020-11-17 |
| Leaked of Profile Image from URL changing |
None supplied |
myat_htut_kyaw |
No rating |
2020-11-17 |
| Improper access control to messages of Social app |
Improper Access Control - Generic |
sanktjodel |
Medium |
2020-11-17 |
| Message Authentication Codes calculated by the Default Encryption Module allow an attacker to silently overwrite blocks in a file |
Violation of Secure Design Principles |
yahe |
Low |
2020-11-05 |
| Downgrade encryption scheme and break integrity through known-plaintext attack |
Cryptographic Issues - Generic |
yahe |
Medium |
2020-11-05 |
| No rate limiting for confirmation email lead to huge Mass mailings |
Business Logic Errors |
kittytrace |
Medium |
2020-11-04 |
| Reduced purmations on encryption |
Cryptographic Issues - Generic |
lynn-stephenson |
Low |
2020-10-28 |
| The password of a mail share is not hashed if the password is given when the share is created |
Plaintext Storage of a Password |
daniel_calvino_sanchez |
Low |
2020-10-28 |
| PIN for passwordless WebAuthn is asked for but not verified |
Improper Authentication - Generic |
dschuermann |
Medium |
2020-10-28 |
| Bypass hide download Nextcloud Share |
Business Logic Errors |
shiniko |
High |
2020-10-05 |
| Recently change email but still login with old email |
Improper Authentication - Generic |
dream_changer |
High |
2020-09-29 |
| Access control missing while viewing the attachments in the "All boards" |
Insecure Direct Object Reference (IDOR) |
divyesh01 |
Medium |
2020-09-29 |
| Re-Sharing allows increase of privileges |
Improper Privilege Management |
alx_il |
Medium |
2020-09-28 |
| Missing server side controls when editing the board’s sharing permissions per user |
Improper Access Control - Generic |
warsocks |
High |
2020-09-28 |
| No rate limiting on sinup page |
Business Logic Errors |
xam24 |
Low |
2020-09-28 |
| Stored XSS in collabora via user name |
Cross-site Scripting (XSS) - Stored |
meliodas19 |
Low |
2020-09-19 |
| Clear text storage of proxy parameters and passwords |
Cleartext Storage of Sensitive Information |
rbcafe |
Low |
2020-09-16 |
| Possible denial of service when entering a loooong password |
Brute Force |
guoxuxin |
Medium |
2020-09-16 |
| Linux client is vulnerable to directory traversal when downloading files |
Path Traversal |
icewater |
Medium |
2020-08-17 |
| XSS in desktop client via invalid server address on login form |
Cross-site Scripting (XSS) - Generic |
jplopezy |
Medium |
2020-08-17 |
| RTLO character allowed in shared files |
UI Redressing (Clickjacking) |
inhibitor181 |
Medium |
2020-08-17 |
| Missing memory corruption protection on Windows release built |
Memory Corruption - Generic |
secconsult |
Medium |
2020-08-14 |
| Memory Leak in OCUtil.dll library in Desktop client can lead to DoS |
Denial of Service |
cwave |
Medium |
2020-08-06 |
| Arbitrary code execution in desktop client via OpenSSL config |
Code Injection |
l00ph0le |
Medium |
2020-08-05 |
| XSS in image metadata field |
Cross-site Scripting (XSS) - Stored |
yzy9951 |
Medium |
2020-08-05 |
| Anonymous file drop page ignores user profile visibility restrictions |
Information Disclosure |
pshknst |
No rating |
2020-08-03 |
| Possible denial of service when entering a loooong password |
Brute Force |
xcheater |
Medium |
2020-07-29 |
| Contacts menu (not app) fails to restrict (to local groups) for contacts from federated servers |
Information Disclosure |
nursoda |
Low |
2020-07-25 |
| Non-admin users can trigger writes to memcached by entering a malicious server as a share URL |
CRLF Injection |
jmdx |
Medium |
2020-07-09 |
| Unrestricted file upload on the image of contacts |
Business Logic Errors |
hitman_47 |
Low |
2020-07-08 |
| PHPUnit is included in groupfolders release package potentially causing RCE |
None supplied |
ledfan |
No rating |
2020-06-25 |
| Cross site scripting - XSRF Token |
Cross-site Scripting (XSS) - Generic |
a9hora |
Medium |
2020-06-14 |
| Mail does not verify IMAP/SMTP host connected via TLS |
Improper Certificate Validation |
christophwurst |
Medium |
2020-06-03 |
| Allows any user to share their "Root" level folder by sharing "." |
Improper Access Control - Generic |
chevonphillip |
None |
2020-06-03 |
| Code injection possible with malformed Nextcloud Talk chat commands |
Code Injection |
covert-spectre |
High |
2020-06-02 |
| Code injection possible with malformed Nextcloud Talk chat commands |
Code Injection |
covert-spectre |
High |
2020-06-02 |
| XSS in PDF Viewer |
Cross-site Scripting (XSS) - Generic |
skewbed |
Low |
2020-05-24 |
| Missing ownership check on remote wipe endpoint |
Insecure Direct Object Reference (IDOR) |
hitman_47 |
High |
2020-04-19 |
| User can delete data in shared folders he's not autorized to access |
Improper Access Control - Generic |
jlord87 |
Medium |
2020-04-10 |
| Code injection in macOS Desktop Client |
Code Injection |
r3ggi-on-h1 |
Low |
2020-04-10 |
| "Secure View" aka "Hide Download" can be bypassed easily |
Improper Access Control - Generic |
at5djl3pwjmunyutnoatp |
High |
2020-04-10 |
| Self xss |
Cross-site Scripting (XSS) - Generic |
iwallplace |
Low |
2020-04-05 |
| potential RCE and XSS via file upload requiring user account and default settings |
Code Injection |
rcejules |
High |
2020-04-01 |
| Docker image with FPM is vulnerable to CVE-2019-11043 |
Code Injection |
beched |
Critical |
2020-03-14 |
| SSRF protection bypass |
Server-Side Request Forgery (SSRF) |
foobar7 |
Medium |
2020-03-14 |
| Only the file extensions are checked, not the MIME types as configured |
None supplied |
teaport |
Medium |
2020-03-14 |
| Remote code execution via path traversal in Zip extraction in the Extract app |
Path Traversal |
emilvirkki |
High |
2020-03-07 |
| http://www.nextcloud.com/wp-includes/js/swfupload/swfupload.swf allows open redirect / site defacement |
Open Redirect |
todayisnew |
No rating |
2020-03-07 |
| [Reflected XSS] In Request URL |
Cross-site Scripting (XSS) - Reflected |
nstikhomirov |
Low |
2020-03-01 |
| Username and Access Token Disclousure |
Violation of Secure Design Principles |
jannikg |
Low |
2020-03-01 |
| User with read-only access to a share can gain write access to sub-folders in the share |
Privilege Escalation |
phil-davis |
Medium |
2020-03-01 |
| Persistent XSS via filename in projects |
Cross-site Scripting (XSS) - Stored |
foobar7 |
Low |
2020-03-01 |
| Access to all files of remote user through shared file |
Information Disclosure |
xuesheng |
Medium |
2020-03-01 |
| No session logout after changing password & alsoandroid sessions not shown in sessions list so they can be deleted |
Violation of Secure Design Principles |
whitehattushu |
No rating |
2020-02-09 |
| File-drop content is visible through the gallery app |
None supplied |
nursoda |
Medium |
2020-01-31 |
| Arbitrary SQL command injection |
SQL Injection |
leonklingele |
Critical |
2019-07-21 |
| Remote Code Execution via Extract App Plugin |
OS Command Injection |
hdbreaker |
High |
2019-05-30 |
| Session fixation in password protected public download. |
Session Fixation |
frankspierings |
Low |
2018-10-25 |
| Authentication Issue |
Improper Authentication - Generic |
bugdiscloseguys |
No rating |
2018-10-25 |
| twofactor_auth bypassable if provider fails to load |
Improper Authentication - Generic |
cyphar |
Low |
2018-09-27 |
| Shared file link - password protection bypass under certain conditions |
Information Disclosure |
icewater |
Medium |
2018-09-25 |
| Access control issue -- [Allow file system access not validated when using session auth] |
Improper Access Control - Generic |
born2hack |
Medium |
2018-09-25 |
| HTML injection with AutoComplete suggestions |
Cross-site Scripting (XSS) - Generic |
nickvergessen |
None |
2018-08-10 |
| [FG-VD-17-063] NextCloud Insufficient Attack Protection Vulnerability Notification |
Code Injection |
yzy9951 |
Low |
2018-07-29 |
| bypass of 2FA |
Improper Authentication - Generic |
kaysbugs |
High |
2018-07-29 |
| OAuth2 Access Token and App Password Security Vulnerability |
Use of a Key Past its Expiration Date |
noumar |
Medium |
2018-07-21 |
| Accessing to download.nextcloud.com from original ip adreess | insecure Download |
Cleartext Transmission of Sensitive Information |
iheb_hamad |
No rating |
2018-07-12 |
| The session token in the URL |
Information Disclosure |
mandark |
Medium |
2018-06-19 |
| File access control rules not enforced on image files |
Improper Access Control - Generic |
reinism |
Low |
2018-06-15 |
| Disclosed Version of PORTS SSH|HTTP|SSL |
Information Disclosure |
iheb_hamad |
Low |
2018-06-14 |
| Banner Grabbing - Apache Server Version Disclousure |
Information Disclosure |
cybertiger |
No rating |
2018-05-17 |
| Banner Grabbing - Apache Server Version Disclosure |
Information Disclosure |
kistimat |
No rating |
2018-05-17 |
| Information Exposure Through Directory Listing |
Information Exposure Through Directory Listing |
mobius07 |
None |
2018-05-17 |
| Possible RCE |
Command Injection - Generic |
paulos_ |
No rating |
2018-03-08 |
| Email Notification should be get while changing password on apps.nextcloud.com |
None supplied |
an0nym0us |
No rating |
2018-02-28 |
| Registered users can change app password permissions for any user |
Insecure Direct Object Reference (IDOR) |
icewater |
Low |
2018-02-08 |
| WordPress < 4.8.2 vulnerable to multiple attacks |
Violation of Secure Design Principles |
luckydivino |
Low |
2017-09-27 |
| IDOR unsubscribe Anyone from NextClouds Newsletters by knowing their Email |
Insecure Direct Object Reference (IDOR) |
babayaga_ |
Medium |
2017-09-16 |
| Wordpress Vulnerable to Potential Unauthorized Password Reset |
None supplied |
japz |
Low |
2017-08-15 |
| https://xmpp.nextcloud.com///;@www.google.com allows open redirect |
Open Redirect |
todayisnew |
No rating |
2017-08-13 |
| Directory Listing In Subdomain Of nextcloud.com |
Information Exposure Through Directory Listing |
xyberwolf |
Low |
2017-07-14 |
| ci.nextcloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service) |
Denial of Service |
js_whitehat |
High |
2017-06-08 |
| DOM XSS vulnerability in search dialogue (NC-SA-2017-007) |
Cross-site Scripting (XSS) - Generic |
pain_ |
Low |
2017-06-07 |
| Stored XSS in Gallery application (NC-SA-2017-010) |
Cross-site Scripting (XSS) - Generic |
lukasreschke |
Low |
2017-06-06 |
| Share tokens for public calendars disclosed (NC-SA-2017-011) |
Information Exposure Through Directory Listing |
lukasreschke |
Medium |
2017-06-06 |
| Missing Rate Limiting protection leading to mass triggering of e-mails |
Violation of Secure Design Principles |
giligails |
Medium |
2017-06-05 |
| Missing Rate Limit for Current Password field in nextcloud.com |
Improper Authentication - Generic |
sumitsahoo |
Low |
2017-05-20 |
| Privilege escalation - Normal user can somehow make admin to delete shared folders |
Privilege Escalation |
ayid |
High |
2017-05-20 |
| Dav sharing permissions issue |
Privilege Escalation |
nickvergessen |
Medium |
2017-05-20 |
| Clickjacking In https://demo.nextcloud.com |
UI Redressing (Clickjacking) |
xsszeeshan |
Critical |
2017-05-20 |
| Content spoofing due to the improper behavior of the 403 page |
Violation of Secure Design Principles |
t-pwn |
No rating |
2017-05-18 |
| Content spoofing due to the improper behavior of the 403 page |
None supplied |
t-pwn |
No rating |
2017-05-18 |
| Email Spoofing Vulnerability from nextcloud. |
None supplied |
cloudyvirus |
High |
2017-05-18 |
| Reflected XSS in error pages (NC-SA-2017-008) |
Cross-site Scripting (XSS) - Reflected |
sinkmanu |
Low |
2017-05-15 |
| Possible SSRF in email server settings(SMTP mode) |
Server-Side Request Forgery (SSRF) |
xifengweiyu |
Medium |
2017-05-15 |
| Content (Text) Injection at https://nextcloud.com |
Violation of Secure Design Principles |
xifengweiyu |
Low |
2017-05-15 |
| Nextcloud Server Remote Command Execution |
None supplied |
sniperpex |
High |
2017-05-10 |
| Limitation of app specific password scope can be bypassed (NC-SA-2017-009) |
Privilege Escalation |
makosdel |
Low |
2017-05-08 |
| Calendar and addressbook names disclosed (NC-SA-2017-012) |
Information Disclosure |
juliushaertl |
Low |
2017-05-08 |
| I am because bug |
None supplied |
b69b1b97b19c1c71b0eed85 |
Critical |
2017-05-04 |
| Content Spoofing/Text Injection in https://demo.nextcloud.com |
Violation of Secure Design Principles |
smit |
Low |
2017-04-28 |
| Update php-saml library to 2.10.5 |
Cryptographic Issues - Generic |
lukasreschke |
Low |
2017-04-28 |
| Cross Site Scripting |
None supplied |
lulliii |
No rating |
2017-04-26 |
| information disclose |
Information Disclosure |
abdul1ah |
No rating |
2017-04-25 |
| The email API to test email-server settings is unlimited and can be used as a email bomb |
Improper Access Control - Generic |
xifengweiyu |
Medium |
2017-04-24 |
| XSS on IOS app via HTML rendering |
Cross-site Scripting (XSS) - Stored |
bugdiscloseguys |
Low |
2017-04-20 |
| The email API to reset password is unlimited and can be used as a email bomb |
Improper Access Control - Generic |
xifengweiyu |
Low |
2017-04-20 |
| failure to invalidate session on password change |
Improper Authentication - Generic |
pradeepch99 |
No rating |
2017-04-20 |
| Information disclosure |
Information Disclosure |
amirisme |
No rating |
2017-04-20 |
| SSRF at apps.nextcloud.com/developer/apps/releases/new |
Server-Side Request Forgery (SSRF) |
t-pwn |
No rating |
2017-04-20 |
| GIT Detected |
Information Disclosure |
lulliii |
No rating |
2017-04-20 |
| bug reporting template encourages users to paste config file with passwords |
Information Disclosure |
hanno |
Medium |
2017-04-19 |
| CSRF token validation is missing |
Cross-Site Request Forgery (CSRF) |
596a96cc7bf9108cd896f33c4 |
Medium |
2017-04-19 |
| Content Spoofing/Text Injection in nextcloud.com |
Violation of Secure Design Principles |
demo--hacker |
Low |
2017-04-19 |
| https://portal.nextcloud.com/.htaccess file is readable |
Information Disclosure |
sahilmk |
No rating |
2017-04-14 |
| Invalid request may lead content spoofing for phishing |
Violation of Secure Design Principles |
d4rk_g1rl |
No rating |
2017-04-12 |
| Design Issues on ( ███ ) Lead to show ( IPS of Users ) |
None supplied |
m7mdharoun |
Medium |
2017-04-05 |
| Android - Possible to intercept broadcasts about uploaded files |
Information Disclosure |
bagipro |
No rating |
2017-03-23 |
| Server version/OS type disclosure via HTTP Response Header |
None supplied |
ryudox |
Low |
2017-03-23 |
| Reflected XSS in U2F plugin by shipping the example endpoints |
Cross-site Scripting (XSS) - Generic |
lukasreschke |
High |
2017-03-22 |
| Bypassing quota limit |
Privilege Escalation |
nordin |
None |
2017-03-10 |
| Version 4.7.2 of wordpress is vulnerable |
None supplied |
demo--hacker |
High |
2017-03-07 |
| Content Spoofing in "files" app |
Violation of Secure Design Principles |
ahsan |
Low |
2017-03-06 |
| Group admin can remove user from all his groups via API |
None supplied |
nickvergessen |
None |
2017-02-23 |
| Review remote code execution in SwiftMailer |
Code Injection |
lukasreschke |
None |
2017-02-18 |
| xss for admin of https://newsletter.nextcloud.com |
Cross-site Scripting (XSS) - Generic |
sergeym |
No rating |
2017-02-17 |
| Drone Nextcloud |
None supplied |
rbcafe |
No rating |
2017-02-12 |
| User Information Disclosure via REST API |
Information Disclosure |
raunak2002 |
No rating |
2017-02-11 |
| Missing SPF Flags on nextcloud.com |
Violation of Secure Design Principles |
ph_spade |
No rating |
2017-02-10 |
| Bypass permissions |
Privilege Escalation |
secator |
Medium |
2017-02-09 |
| Filename enumeration && DoS |
Denial of Service |
secator |
Low |
2017-02-09 |
| Wordpress 4.7.1 |
None supplied |
rbcafe |
Low |
2017-01-27 |
| Email Spoofing |
Violation of Secure Design Principles |
khalidamin |
No rating |
2017-01-25 |
| Nextcloud.com is vulnerable to SWEET32 attack |
Cryptographic Issues - Generic |
pkkothawade |
No rating |
2017-01-25 |
| HTTP-Basic Authentication on logs.nextcloud.com |
Violation of Secure Design Principles |
rbcafe |
No rating |
2017-01-17 |
| Avatar image upload and bypass real image verification |
Violation of Secure Design Principles |
dremos |
No rating |
2017-01-15 |
| Disclosure of administrators via JSON on nextcloud.com Wordpress |
Information Disclosure |
rbcafe |
No rating |
2017-01-13 |
| WordPress <= 4.6.1 Stored XSS Via Theme File |
Cross-site Scripting (XSS) - Generic |
madrobot |
No rating |
2017-01-13 |
| Bad content-type in response header when getting document can lead to html injection |
Cross-site Scripting (XSS) - Generic |
trichimtrich |
Medium |
2017-01-12 |
| URI scheme bypass in mail app lead to HTML content spoof and opener control |
Violation of Secure Design Principles |
trichimtrich |
No rating |
2017-01-12 |
| Files Drop: WebDAV endpoint is leaking existence of resources |
Information Disclosure |
lukasreschke |
Low |
2017-01-01 |
| Stored XSS on new Calling plugin (spreed) |
Cross-site Scripting (XSS) - Generic |
coolboss |
High |
2016-12-13 |
| Share owner has no possibility to list all existing derived shares |
Improper Authentication - Generic |
detroitsmash |
No rating |
2016-12-13 |
| Password reset link remains valid after email change |
Improper Authentication - Generic |
rootxflood |
No rating |
2016-12-13 |
| [Nextcloud 9.0.53] Content Spoofing in 'trustDomain' parameter |
Violation of Secure Design Principles |
ahsan |
No rating |
2016-12-05 |
| Login Hints on Admin Panel |
Violation of Secure Design Principles |
madhur_bhargava |
Medium |
2016-12-05 |
| BruteForce in to Admin Account |
Improper Authentication - Generic |
hackerwahab |
High |
2016-12-04 |
| Wordpress Version Disclosure Bug On Nextcloud |
Information Disclosure |
cr4zyrud |
Low |
2016-12-04 |
| Reflected XSS in Gallery App |
Cross-site Scripting (XSS) - Generic |
soreks |
Medium |
2016-12-03 |
| \OCA\DAV\CardDAV\ImageExportPlugin allows serving arbitrary data with user-defined or empty mimetype |
Cross-site Scripting (XSS) - Generic |
lukasreschke |
Medium |
2016-12-03 |
| IDOR - Disable sharing |
Privilege Escalation |
dalt |
Low |
2016-12-03 |
| Content (Text) Injection at NextCloud Server 9.0.52 - via http://custom_nextcloud_url/remote.php/dav/files/ |
Violation of Secure Design Principles |
config |
Low |
2016-12-02 |
| xss on demo.nextcloud.com due to outdated version |
Cross-site Scripting (XSS) - Generic |
bm666 |
No rating |
2016-11-26 |
| More content spoofing through dir param in the files app |
Violation of Secure Design Principles |
lmx |
Low |
2016-11-04 |
| [Thirdparty] Stored XSS in chat module - nextcloud server 9.0.51 installed in ubuntu 14.0.4 LTS |
Cross-site Scripting (XSS) - Generic |
ayid |
Medium |
2016-11-02 |
| Content spoofing due to the improper behavior of the 403 page in Private Server |
Violation of Secure Design Principles |
ahsan |
None |
2016-10-31 |
| Content spoofing in lookup.nextcloud.com |
Violation of Secure Design Principles |
csanuragjain |
Low |
2016-10-10 |
| Slow Http attack on nextcloud(DOS) |
Denial of Service |
drosera |
No rating |
2016-10-05 |
| Arbitrary File Upload in Logo & Log in image Theming setting. |
Cross-site Scripting (XSS) - Generic |
bastianwelfrid |
No rating |
2016-10-05 |
| demo.nextcloud.com: Content spoofing due to default Apache Error Page |
Violation of Secure Design Principles |
sysecure |
No rating |
2016-09-29 |
| Password Reset Link issue |
Improper Authentication - Generic |
i1ackerone |
No rating |
2016-09-23 |
| Unauthenticated Stored xss |
Cross-site Scripting (XSS) - Generic |
spetr0x |
No rating |
2016-09-13 |
| Directory listening enabled in: 88.198.160.130 |
Information Disclosure |
sandh0t |
No rating |
2016-09-04 |
| Reflected Self-XSS Vulnerability in the Comment section of Files (Different-payloads) |
Cross-site Scripting (XSS) - Generic |
shivakumar143 |
No rating |
2016-08-31 |
| Content spoofing in cloud.nextcloud.com |
Violation of Secure Design Principles |
ahsan |
No rating |
2016-08-30 |
| demo.nextcloud.com: Content spoofing due to default Apache Error Page |
Violation of Secure Design Principles |
cutejoker |
No rating |
2016-08-30 |
| Reflected Self-XSS Vulnerability in the Comment section of Files Information |
Cross-site Scripting (XSS) - Generic |
naveenv |
No rating |
2016-08-30 |
| Content Injection - demo.nextcloud.com |
Violation of Secure Design Principles |
spodermen |
No rating |
2016-08-26 |
| Content Injection - apps.nextcloud.com |
Violation of Secure Design Principles |
spodermen |
No rating |
2016-08-26 |
| Information Disclosure of .htaccess file in Private Server/Subdomain |
Information Disclosure |
ahsan |
No rating |
2016-08-26 |
| Wordpress: Directory Traversal / Denial of Serivce |
Information Disclosure |
tbehroz |
No rating |
2016-08-26 |
| Expired SSL certificate |
Violation of Secure Design Principles |
goethe_ |
No rating |
2016-08-25 |
| Response Header injection using redirect_uri together with PHP that utilizes Header Folding according to RFC1945 and Internet Explorer 11 |
Violation of Secure Design Principles |
fransrosen |
No rating |
2016-08-17 |
| Bookmarks: Delete all existing bookmarks of a user |
Privilege Escalation |
ctee |
No rating |
2016-08-08 |
| help.nextcloud.com: Known DoS condition (null pointer deref) in Nginx running |
Denial of Service |
shoveller |
No rating |
2016-07-27 |
| Read-only share recipient can restore old versions of file |
Improper Authentication - Generic |
bugdiscloseguys |
No rating |
2016-07-19 |
| Log pollution can lead to HTML Injection. |
Cross-site Scripting (XSS) - Generic |
apok |
No rating |
2016-07-19 |
| Uploading files to a folder where invited user don't have any EDIT privilege |
Improper Authentication - Generic |
detroitsmash |
No rating |
2016-07-19 |
| Stored XSS on Share-popup of a directory's Gallery-view |
Cross-site Scripting (XSS) - Generic |
fransrosen |
No rating |
2016-07-19 |
| Nextcloud server software: Content Spoofing |
Violation of Secure Design Principles |
ishahriyar |
No rating |
2016-07-19 |
| newsletter.nextcloud.com: Bypass firewall protection |
Improper Authentication - Generic |
bug_cat |
No rating |
2016-07-19 |
| The application uses basic authentication. |
Improper Authentication - Generic |
roshanpty |
No rating |
2016-07-18 |
| nextcloud.com: Mail Bombing ( No Rate Limiting On Sending Emails On Contact us Page) |
Memory Corruption - Generic |
ashish_pathak |
No rating |
2016-07-17 |
| stats.nextcloud.com: Content Injection |
Violation of Secure Design Principles |
kiraak-boy |
No rating |
2016-07-17 |
| REG: Content provider information leakage |
Command Injection - Generic |
zeroknife |
No rating |
2016-06-24 |
| WordPress Vulnerabilities: User Enumeration, Vulnerable Akismet Plugin, XML-RPC Interface available |
Information Disclosure |
vivek-p |
No rating |
2016-06-22 |
| No Rate Limiting on stats.nextcloud.com login |
Violation of Secure Design Principles |
japz |
No rating |
2016-06-22 |
| Deny access to download.nextcloud.com + folders |
Information Disclosure |
thearmfox |
No rating |
2016-06-21 |
| Email ID Disclosure. |
Information Disclosure |
bugdiscloseguys |
No rating |
2016-06-20 |
| No rate limiting on password protected shared file link |
Improper Authentication - Generic |
johnd |
No rating |
2016-06-20 |
| No permission set on Activities [Android App] |
Improper Authentication - Generic |
gaurang |
No rating |
2016-06-20 |
| Bruteforcing help.nextcloud.com |
Improper Authentication - Generic |
japz |
No rating |
2016-06-19 |
| Lost Password CSRF |
Cross-Site Request Forgery (CSRF) |
mefkan |
No rating |
2016-06-19 |
| help.nextcloud Email Address/Username enumeration |
Information Disclosure |
japz |
No rating |
2016-06-19 |
| Enumeration of subscribed users and unauthenticated email unsubscriptions on https://newsletter.nextcloud.com/?p=unsubscribe |
Information Disclosure |
strukt |
No rating |
2016-06-19 |
| Bruteforce attack is possible on newsletter.nextcloud.com |
Improper Authentication - Generic |
koolacac |
No rating |
2016-06-19 |
| Content Injection in subdomain |
Violation of Secure Design Principles |
testest |
No rating |
2016-06-19 |
| Content injection in subdomain |
Violation of Secure Design Principles |
testest |
No rating |
2016-06-19 |
| Business/Functional logic bypass: Remove admins from admin group. |
Privilege Escalation |
paglababa |
No rating |
2016-06-19 |
| Content Spoofing/Text Injection - docs.nextcloud.org |
Violation of Secure Design Principles |
ahsan |
No rating |
2016-06-19 |
| Content Injection 404 page |
Violation of Secure Design Principles |
testest |
No rating |
2016-06-19 |
| No captcha on newsletter.nextcloudcom leaves vulnerable to email spammers |
Violation of Secure Design Principles |
aaron_costello |
No rating |
2016-06-19 |
| Content Spoofing |
Violation of Secure Design Principles |
ashish_pathak |
No rating |
2016-06-19 |
| https://newsletter.nextcloud.com Directory listening and Information Disclosure |
Information Disclosure |
mefkan |
No rating |
2016-06-18 |
| Directory Listing On download.nextcloud.com & Practical Attacks on PGP (Pretty Good Privacy) |
Cryptographic Issues - Generic |
1337_inj3c70r |
No rating |
2016-06-17 |
| Server side request forgery (SSRF) on nextcloud implementation. |
None supplied |
paglababa |
No rating |
2016-06-17 |
| Vulnerable Javascript library |
Information Disclosure |
paulochoupina |
No rating |
2016-06-17 |
| help.nextcloud.com: Session Management Issue |
None supplied |
ahsan |
No rating |
2016-06-17 |
| nextcloud.com: Directory listening for 'wp-includes' forders |
Information Disclosure |
zuh4n |
No rating |
2016-06-17 |
| nextcloud.com: Content Injection Custom 404 Error |
Violation of Secure Design Principles |
geekboy |
No rating |
2016-06-17 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles