Vulnerabilities > Nextcloud

DATE CVE VULNERABILITY TITLE RISK
2020-06-08 CVE-2020-8180 Code Injection vulnerability in Nextcloud Talk
A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk command was added by an administrator.
network
low complexity
nextcloud CWE-94
critical
9.9
2020-05-12 CVE-2020-8156 Improper Certificate Validation vulnerability in multiple products
A missing verification of the TLS host in Nextcloud Mail 1.1.3 allowed a man in the middle attack.
network
high complexity
nextcloud fedoraproject CWE-295
7.0
2020-05-12 CVE-2020-8155 Cross-site Scripting vulnerability in Nextcloud Server
An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF.
network
low complexity
nextcloud CWE-79
5.4
2020-05-12 CVE-2020-8154 Authorization Bypass Through User-Controlled Key vulnerability in Nextcloud Server
An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint.
network
low complexity
nextcloud CWE-639
7.7
2020-05-12 CVE-2020-8153 Incorrect Permission Assignment for Critical Resource vulnerability in multiple products
Improper access control in Groupfolders app 4.0.3 allowed to delete hidden directories when when renaming an accessible item to the same name.
network
low complexity
nextcloud fedoraproject CWE-732
8.1
2020-03-20 CVE-2020-8140 Code Injection vulnerability in Nextcloud Desktop
A code injection in Nextcloud Desktop Client 2.6.2 for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the environment.
local
low complexity
nextcloud CWE-94
6.7
2020-03-20 CVE-2020-8139 Missing Authorization vulnerability in multiple products
A missing access control check in Nextcloud Server < 18.0.1, < 17.0.4, and < 16.0.9 causes hide-download shares to be downloadable when appending /download to the URL.
network
low complexity
nextcloud fedoraproject CWE-862
6.5
2020-03-20 CVE-2020-8138 Server-Side Request Forgery (SSRF) vulnerability in Nextcloud Server
A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar URL.
network
low complexity
nextcloud CWE-918
6.5
2020-02-04 CVE-2020-8122 Improper Input Validation vulnerability in Nextcloud Server
A missing check in Nextcloud Server 14.0.3 could give recipient the possibility to extend the expiration date of a share they received.
network
low complexity
nextcloud CWE-20
4.3
2020-02-04 CVE-2020-8121 Exposure of Resource to Wrong Sphere vulnerability in Nextcloud Server
A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer.
network
low complexity
nextcloud CWE-668
8.1