Nextcloud - HackerOne Reports
View on HackerOne508
Total Reports
10
Critical
46
High
173
Medium
179
Low
Share owner has no possibility to list all existing derived shares
Reported by:
detroitsmash
|
Disclosed:
Weakness: Improper Authentication - Generic
Avatar image upload and bypass real image verification
Reported by:
dremos
|
Disclosed:
Weakness: Violation of Secure Design Principles
Response Header injection using redirect_uri together with PHP that utilizes Header Folding according to RFC1945 and Internet Explorer 11
Reported by:
fransrosen
|
Disclosed:
Weakness: Violation of Secure Design Principles
failure to invalidate session on password change
Reported by:
pradeepch99
|
Disclosed:
Weakness: Improper Authentication - Generic
Password reset link remains valid after email change
Reported by:
rootxflood
|
Disclosed:
Weakness: Improper Authentication - Generic
Possible RCE
Reported by:
paulos__
|
Disclosed:
Weakness: Command Injection - Generic
ci.nextcloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)
Reported by:
m4nx
|
Disclosed:
High
Weakness: Uncontrolled Resource Consumption
CVEs:
CVE-2015-5477
Unauthenticated 'display name' information leak on enumeration of login names
Reported by:
frankspierings
|
Disclosed:
Medium
Weakness: Information Disclosure
Missing X-Content-Type-Options
Reported by:
pal434
|
Disclosed:
Weakness: Violation of Secure Design Principles
Calendar and addressbook names disclosed (NC-SA-2017-012)
Reported by:
juliushaertl
|
Disclosed:
Low
Weakness: Information Disclosure
Bounty: $183.00
Website PHP source code returned in javascript
Reported by:
mdfarhanchowdhuryhasin
|
Disclosed:
Medium
Version 4.7.2 of wordpress is vulnerable
Reported by:
demo--hacker
|
Disclosed:
High
https://xmpp.nextcloud.com///;@www.google.com allows open redirect
Reported by:
todayisnew
|
Disclosed:
Weakness: Open Redirect
Document content of files can be obtained through Collabora for files of other users
Reported by:
juliushaertl
|
Disclosed:
Medium
Weakness: Improper Access Control - Generic
nextcloud-snap CircleCI project has vulnerable configuration which can lead to exposing secrets
Reported by:
nathand
|
Disclosed:
High
Weakness: Insufficiently Protected Credentials
End to end encryption folder locking is not properly protected
Reported by:
rtod
|
Disclosed:
Low
Weakness: Improper Access Control - Generic
Bounty: $250.00
Android app does not clear end to end encryption keys
Reported by:
rtod
|
Disclosed:
Low
Bounty: $100.00
Missing brute force protection for passwords of password protected share links
Reported by:
hackit_bharat
|
Disclosed:
Low
Weakness: Improper Restriction of Authentication Attempts
Open redirect when logging in with user_oidc
Reported by:
kesselb
|
Disclosed:
Weakness: Open Redirect
Code injection possible with malformed Nextcloud Talk chat commands
Reported by:
covert-spectre
|
Disclosed:
High
Weakness: Code Injection