Vulnerabilities > Nextcloud > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-10-05 | CVE-2020-8235 | Authorization Bypass Through User-Controlled Key vulnerability in Nextcloud Deck 1.0.4 Missing access control in Nextcloud Deck 1.0.4 caused an insecure direct object reference allowing an attacker to view all attachments. | 4.3 |
| 2020-10-05 | CVE-2020-8228 | Improper Restriction of Excessive Authentication Attempts vulnerability in multiple products A missing rate limit in the Preferred Providers app 1.7.0 allowed an attacker to set the password an uncontrolled amount of times. | 5.3 |
| 2020-10-05 | CVE-2020-8223 | Improper Privilege Management vulnerability in multiple products A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to reshare with higher permissions than they got assigned themselves. | 6.5 |
| 2020-08-21 | CVE-2020-8227 | Path Traversal vulnerability in Nextcloud Desktop Missing sanitization of a server response in Nextcloud Desktop Client 2.6.4 for Linux allowed a malicious Nextcloud Server to store files outside of the dedicated sync directory. | 6.8 |
| 2020-08-21 | CVE-2020-8189 | Cross-site Scripting vulnerability in Nextcloud Desktop A cross-site scripting error in Nextcloud Desktop client 2.6.4 allowed to present any html (including local links) when responding with invalid data on the login attempt. | 5.4 |
| 2020-08-17 | CVE-2020-8230 | Out-of-bounds Write vulnerability in Nextcloud Desktop A memory corruption vulnerability exists in NextCloud Desktop Client v2.6.4 where missing ASLR and DEP protections in for windows allowed to corrupt memory. | 5.5 |
| 2020-08-10 | CVE-2020-8229 | Memory Leak vulnerability in Nextcloud Desktop A memory leak in the OCUtil.dll library used by Nextcloud Desktop Client 2.6.4 can lead to a DoS against the host system. | 5.5 |
| 2020-07-30 | CVE-2020-8202 | Improper Restriction of Excessive Authentication Attempts vulnerability in Nextcloud Preferred Providers 1.6.0 Improper check of inputs in Nextcloud Preferred Providers app v1.6.0 allowed to perform a denial of service attack when using a very long password. | 5.3 |
| 2020-07-10 | CVE-2020-8181 | Unrestricted Upload of File with Dangerous Type vulnerability in Nextcloud Contacts A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars. | 4.3 |
| 2020-07-02 | CVE-2020-8179 | Improper Privilege Management vulnerability in Nextcloud Deck Improper access control in Nextcloud Deck 1.0.0 allowed an attacker to inject tasks into other users decks. | 4.1 |