Nextcloud


reports in last 90 days

130

disclosed resolved issues

48

disclosed informative issues

4

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

Low Veracode and security audit record are publicly available

Insecure Storage of Sensitive Information laxe Time to triage: 5 Days and 9 hours


Time to close: 7 Days and 2 hours
Informative

Low Content Spoofing /Text Injection in https://docs.nextcloud.com

Violation of Secure Design Principles pamper Issue was not triaged


Time to close: 2 Days and 22 hours
Resolved

Medium Missing DNSSEC

Man-in-the-Middle jelle293 Time to triage: 0 Days and 2 hours


Time to close: 104 Days and 13 hours
Resolved

Medium Reflected XSS / Markup Injection in `index.php/svg/core/logo/logo` parameter `color`

Cross-site Scripting (XSS) - Reflected freddyb Time to triage: 9 Days and 1 hours


Time to close: 17 Days and 18 hours
Resolved

High User Editable nextcloud Wiki pages of Public Repositories

None supplied chernobyl Issue was not triaged


Time to close: 0 Days and 11 hours
Resolved

Low Passwords being stored as plain text in logging

Cleartext Storage of Sensitive Information xatom Time to triage: 8 Days and 16 hours


Time to close: 125 Days and 23 hours
Resolved

Low Delete permission can be added on reshare

Privilege Escalation phil-davis Time to triage: 0 Days and 16 hours


Time to close: 63 Days and 3 hours
Resolved

Medium Passcode Protection in Android Devices Can be Bypassed.

Violation of Secure Design Principles ctulhu Time to triage: 6 Days and 5 hours


Time to close: 47 Days and 1 hours
Informative

High Group admins can remove arbitrary data from "data" directory (including admin data)

Privilege Escalation leonklingele Time to triage: 0 Days and 17 hours


Time to close: 99 Days and 23 hours
Resolved

None LDAP login possible even though account doesn't match user filter

Improper Authentication - Generic gvde Time to triage: 0 Days and 1 hours


Time to close: 863 Days and 22 hours
Resolved

Low Bypassing lock protection

Improper Authentication - Generic doragon Time to triage: 15 Days and 21 hours


Time to close: 124 Days and 0 hours
Resolved

None Some HTML Tags are Getting Executed in com.nextcloud.client

Code Injection ctulhu Time to triage: 0 Days and 6 hours


Time to close: 3 Days and 19 hours
Resolved

Low Able to bypass "Device credentials" Lock

Improper Access Control - Generic blackdex Time to triage: 3 Days and 17 hours


Time to close: 62 Days and 0 hours
Resolved

Low Combination of content provider allows private data disclosure

Improper Access Control - Generic doragon Time to triage: 4 Days and 19 hours


Time to close: 71 Days and 22 hours
Resolved

No rating W3 Total Cache plugin multiple vulnerabilities

None supplied funt0m Time to triage: 3 Days and 16 hours


Time to close: 51 Days and 22 hours
Resolved

High In Dockerized Environments, Failing to Read config.php Grants Any Anonymous User Full Admin Access

Improper Access Control - Generic theguynamedguy86 Time to triage: 8 Days and 14 hours


Time to close: 76 Days and 15 hours
Resolved

Low SQL Injection found in NextCloud Android App Content Provider

SQL Injection bluedangerforyou Time to triage: 10 Days and 11 hours


Time to close: 67 Days and 19 hours
Resolved

Critical Arbitrary SQL command injection

SQL Injection leonklingele Time to triage: 0 Days and 1 hours


Time to close: 34 Days and 18 hours
Resolved

Low Gallery: No feedback for invalid password

Business Logic Errors foobar7 Time to triage: 3 Days and 19 hours


Time to close: 240 Days and 23 hours
Resolved

Low Extremly simple way to bypass Nextcloud-Client PIN/Fingerprint lock

Information Disclosure volker_weissmann Time to triage: 9 Days and 13 hours


Time to close: 80 Days and 5 hours
Resolved

Low SQLi allow query restriction bypass on exposed FileContentProvider

SQL Injection doragon Time to triage: 2 Days and 21 hours


Time to close: 83 Days and 23 hours
Resolved

Medium Vulnerable W3 Total Cache plugin version in use on nextcloud.com

Cross-Site Request Forgery (CSRF) francescocar Time to triage: 3 Days and 4 hours


Time to close: 21 Days and 2 hours
Informative

Medium Retrieval and alteration of exposed media on Android Oreo

Information Disclosure doragon Issue was not triaged


Time to close: 2 Days and 21 hours
Informative

Medium Predictable Random Number Generator

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) mru1 Time to triage: 0 Days and 1 hours


Time to close: 2 Days and 20 hours
Informative

Low Private/confidential setting of calendar events is ignored on activity stream

Information Disclosure nickvergessen Time to triage: 0 Days and 0 hours


Time to close: 169 Days and 16 hours
Resolved