Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

Nextcloud - HackerOne Reports

View on HackerOne

506

Total Reports

10

Critical

46

High

173

Medium

177

Low

Filename enumeration && DoS

Reported by: b42f97eb69dddcafe5cc278 | Disclosed:

Low

Weakness: Uncontrolled Resource Consumption

Remote code execution via path traversal in Zip extraction in the Extract app

Reported by: emilvirkki | Disclosed:

High

Weakness: Path Traversal

Android - Possible to intercept broadcasts about uploaded files

Reported by: bagipro | Disclosed:

Weakness: Information Disclosure

Code injection possible with malformed Nextcloud Talk chat commands

Reported by: covert-spectre | Disclosed:

High

Weakness: Code Injection

Nextcloud.com is vulnerable to SWEET32 attack

Reported by: pkkothawade | Disclosed:

Weakness: Cryptographic Issues - Generic

CVEs: CVE-2016-2183

Missing Rate Limit for Current Password field in nextcloud.com

Reported by: sumitsahoo | Disclosed:

Low

Weakness: Improper Authentication - Generic

Arbitrary code execution in desktop client via OpenSSL config

Reported by: l00ph0le | Disclosed:

Medium

Weakness: Code Injection

Bounty: $100.00

Possibility to delete files attached to deck cards of other users

Reported by: supr4s | Disclosed:

Low

Weakness: Insecure Direct Object Reference (IDOR)

Lack of bruteforce protection for TOTP 2FA

Reported by: bncrypted | Disclosed:

Medium

Weakness: Improper Restriction of Authentication Attempts

Bounty: $750.00

Formula Injection vulnerability in CSV export feature

Reported by: 6661620a | Disclosed:

Medium

Weakness: Code Injection

App PIN code can be bypassed in Files iOS

Reported by: spell1 | Disclosed:

Low

Weakness: Improper Authentication - Generic

Email Spoofing

Reported by: khalidamin | Disclosed:

Weakness: Violation of Secure Design Principles

Accessing to download.nextcloud.com from original ip adreess | insecure Download

Reported by: bb00x | Disclosed:

Weakness: Cleartext Transmission of Sensitive Information

Bypassing lock protection

Reported by: doragon | Disclosed:

Low

Weakness: Improper Authentication - Generic

Bounty: $50.00

Contacts only sanitizes PHOTO svg if mime type is all lower case

Reported by: christophwurst | Disclosed:

Weakness: Cross-site Scripting (XSS) - Generic

Bypass configured 2FA provider with another provider that can be set up at login

Reported by: christophwurst | Disclosed:

Medium

Weakness: Improper Authentication - Generic

Missing length validation of user displayname allows to generate an SQL error

Reported by: errorsec_ | Disclosed:

Low

Weakness: Uncontrolled Resource Consumption

bug reporting template encourages users to paste config file with passwords

Reported by: hanno | Disclosed:

Medium

Weakness: Information Disclosure

Mail auto configurator can be tricked into sending account information to wrong servers

Reported by: shushangw | Disclosed:

High

Weakness: Information Disclosure

Bounty: $100.00

HTTP-Basic Authentication on logs.nextcloud.com

Reported by: rbcafe | Disclosed:

Weakness: Violation of Secure Design Principles

Page 1 of 26 Next