Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

Nextcloud - HackerOne Reports

View on HackerOne

508

Total Reports

10

Critical

46

High

173

Medium

179

Low

Code injection possible with malformed Nextcloud Talk chat commands

Reported by: covert-spectre | Disclosed:

High

Weakness: Code Injection

Missing Rate Limit for Current Password field in nextcloud.com

Reported by: sumitsahoo | Disclosed:

Low

Weakness: Improper Authentication - Generic

Contacts only sanitizes PHOTO svg if mime type is all lower case

Reported by: christophwurst | Disclosed:

Weakness: Cross-site Scripting (XSS) - Generic

Missing length validation of user displayname allows to generate an SQL error

Reported by: errorsec_ | Disclosed:

Low

Weakness: Uncontrolled Resource Consumption

Arbitrary code execution in desktop client via OpenSSL config

Reported by: l00ph0le | Disclosed:

Medium

Weakness: Code Injection

Bounty: $100.00

Drone Nextcloud

Reported by: rbcafe | Disclosed:

Possibility to delete files attached to deck cards of other users

Reported by: supr4s | Disclosed:

Low

Weakness: Insecure Direct Object Reference (IDOR)

Uploading large avatar images cause excessive CPU usage

Reported by: fancycode | Disclosed:

Weakness: Uncontrolled Resource Consumption

Lack of bruteforce protection for TOTP 2FA

Reported by: bncrypted | Disclosed:

Medium

Weakness: Improper Restriction of Authentication Attempts

Bounty: $750.00

Reflected XSS in Gallery App

Reported by: soreks | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Generic

Predictable Random Number Generator

Reported by: d4rkrai | Disclosed:

Medium

Weakness: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Formula Injection vulnerability in CSV export feature

Reported by: 6661620a | Disclosed:

Medium

Weakness: Code Injection

Email Spoofing

Reported by: khalidamin | Disclosed:

Weakness: Violation of Secure Design Principles

App PIN code can be bypassed in Files iOS

Reported by: spell1 | Disclosed:

Low

Weakness: Improper Authentication - Generic

Accessing to download.nextcloud.com from original ip adreess | insecure Download

Reported by: bb00x | Disclosed:

Weakness: Cleartext Transmission of Sensitive Information

Bypassing lock protection

Reported by: doragon | Disclosed:

Low

Weakness: Improper Authentication - Generic

Bounty: $50.00

Bypass configured 2FA provider with another provider that can be set up at login

Reported by: christophwurst | Disclosed:

Medium

Weakness: Improper Authentication - Generic

Mail auto configurator can be tricked into sending account information to wrong servers

Reported by: shushangw | Disclosed:

High

Weakness: Information Disclosure

Bounty: $100.00

HTTP-Basic Authentication on logs.nextcloud.com

Reported by: rbcafe | Disclosed:

Weakness: Violation of Secure Design Principles

New AppPassword can be generated without password confirmation

Reported by: mikaelgundersen | Disclosed:

High

Weakness: Improper Access Control - Generic

Bounty: $250.00

Page 1 of 26 Next