Vulnerabilities > Nextcloud > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-04-14 | CVE-2021-22879 | Injection vulnerability in multiple products Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. | 8.8 |
| 2021-01-26 | CVE-2020-8295 | Resource Exhaustion vulnerability in Nextcloud Server A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user. | 7.5 |
| 2020-11-19 | CVE-2020-8279 | Improper Certificate Validation vulnerability in Nextcloud Social Missing validation of server certificates for out-going connections in Nextcloud Social < 0.4.0 allowed a man-in-the-middle attack. | 7.4 |
| 2020-11-16 | CVE-2020-8259 | Insufficiently Protected Credentials vulnerability in Nextcloud Server Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the encryption keys. | 8.1 |
| 2020-11-02 | CVE-2020-8183 | Insufficiently Protected Credentials vulnerability in Nextcloud Server A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call. | 7.5 |
| 2020-10-05 | CVE-2020-8182 | Improper Preservation of Permissions vulnerability in Nextcloud Deck 0.8.0 Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permissions than they had themselves. | 8.0 |
| 2020-09-18 | CVE-2020-8225 | Cleartext Storage of Sensitive Information vulnerability in Nextcloud Desktop A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials. | 7.5 |
| 2020-08-10 | CVE-2020-8224 | Code Injection vulnerability in Nextcloud Desktop A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL config into a fixed directory. | 7.8 |
| 2020-05-12 | CVE-2020-8156 | Improper Certificate Validation vulnerability in multiple products A missing verification of the TLS host in Nextcloud Mail 1.1.3 allowed a man in the middle attack. | 7.0 |
| 2020-05-12 | CVE-2020-8154 | Authorization Bypass Through User-Controlled Key vulnerability in Nextcloud Server An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint. | 7.7 |