Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

Nextcloud - HackerOne Reports

View on HackerOne

508

Total Reports

10

Critical

46

High

173

Medium

179

Low

Nextcloud logs ldap passwords

Reported by: tribut | Disclosed:

Low

Weakness: Plaintext Storage of a Password

Privilege escalation - Normal user can somehow make admin to delete shared folders

Reported by: egrep | Disclosed:

High

Weakness: Privilege Escalation

xss for admin of https://newsletter.nextcloud.com

Reported by: sergeym | Disclosed:

Weakness: Cross-site Scripting (XSS) - Generic

[Nextcloud 9.0.53] Content Spoofing in 'trustDomain' parameter

Reported by: ahsan | Disclosed:

Weakness: Violation of Secure Design Principles

IDOR - Disable sharing

Reported by: dalt4sec | Disclosed:

Low

Weakness: Privilege Escalation

https://help.nextcloud.com::: Web cache poisoning attack

Reported by: g4mm4 | Disclosed:

High

Allows any user to share their "Root" level folder by sharing "."

Reported by: chevonphillip | Disclosed:

Weakness: Improper Access Control - Generic

More content spoofing through dir param in the files app

Reported by: lmx | Disclosed:

Low

Weakness: Violation of Secure Design Principles

Bounty: $50.00

Docker image with FPM is vulnerable to CVE-2019-11043

Reported by: beched | Disclosed:

Critical

Weakness: Code Injection

CVEs: CVE-2019-11043

[FG-VD-17-063] NextCloud Insufficient Attack Protection Vulnerability Notification

Reported by: yzy9951 | Disclosed:

Low

Weakness: Code Injection

Bounty: $100.00

X-E2EE-SIGNATURE verification can be bypassed, leading to loss of confidentiality of end-to-end encrypted files

Reported by: d-xuan | Disclosed:

Medium

Weakness: Improper Certificate Validation

Mail app - blind SSRF via imapHost parameter

Reported by: supr4s | Disclosed:

Low

Weakness: Server-Side Request Forgery (SSRF)

Scoped apptokens can be changed by that very apptoken

Reported by: rtod | Disclosed:

High

Weakness: Improper Access Control - Generic

Bounty: $1000.00

App pin of the Android app can be bypassed via 3rdparty apps generating deep links

Reported by: meinereiner | Disclosed:

Low

Weakness: Improper Authentication - Generic

Username Enumeration

Reported by: ahpaleus | Disclosed:

Low

Weakness: Information Disclosure

Database resource exhaustion for logged-in users via sharee recommendations with circles

Reported by: michag86 | Disclosed:

Medium

Weakness: Uncontrolled Resource Consumption

Bounty: $250.00

SQL injextion via vulnerable doctrine/dbal version

Reported by: nickvergessen | Disclosed:

High

Weakness: SQL Injection

Desktop client does not verify received singed certificate in end to end encryption

Reported by: mikaelgundersen | Disclosed:

Medium

Weakness: Improper Certificate Validation

Bounty: $1000.00

Reference fetch can saturate the server bandwidth for 10 seconds

Reported by: brthnc | Disclosed:

Medium

Weakness: Uncontrolled Resource Consumption

Code injection possible with malformed Nextcloud Talk chat commands

Reported by: covert-spectre | Disclosed:

High

Weakness: Code Injection

Previous Page 5 of 26 Next