CVSS: 3.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-0895
https://notcve.org/view.php?id=CVE-2017-0895
Nextcloud Server before 10.0.4 and 11.0.2 are vulnerable to disclosure of calendar and addressbook names to other logged-in users. Note that no actual content of the calendar and addressbook has been disclosed. Nextcloud Server anterior a 10.0.4 y 11.0.2 son vulnerables a la divulgación de los nombres de calendario y de libreta de direcciones a otros usuarios registrados. Tenga en cuenta que no se ha revelado ningún contenido real del calendario y de la libreta de direcciones. • https://hackerone.com/reports/203594 https://nextcloud.com/security/advisory/?id=nc-sa-2017-012 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-285: Improper Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2017-0892
https://notcve.org/view.php?id=CVE-2017-0892
Nextcloud Server before 11.0.3 is vulnerable to an improper session handling allowed an application specific password without permission to the files access to the users file. Nextcloud Server anterior a 11.0.3 es vulnerable a una manipulación incorrecta de la sesión, lo que permite especificar una contraseña a la aplicación sin permiso de acceso a ficheros o al fichero de usuarios • https://hackerone.com/reports/191979 https://nextcloud.com/security/advisory/?id=nc-sa-2017-009 • CWE-285: Improper Authorization CWE-384: Session Fixation •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2017-0891 – NextCloud / OwnCloud Cross Site Scripting
https://notcve.org/view.php?id=CVE-2017-0891
Nextcloud Server before 9.0.58 and 10.0.5 and 11.0.3 are vulnerable to an inadequate escaping of error messages leading to XSS vulnerabilities in multiple components. Nextcloud Server anterior a 9.0.58 a 10.0.5 y a 11.0.3 son vulnerables a un escape inadecuado de mensajes de error que conducen a vulnerabilidades XSS en múltiples componentes. NextCloud and OwnCloud suffer from a cross site scripting vulnerability in their error pages. OwnCloud versions 9.1.5 and below are affected. NextCloud versions prior to 11.0.3, 10.0.5, and 9.0.58 are affected. • https://hackerone.com/reports/216812 https://nextcloud.com/security/advisory/?id=nc-sa-2017-008 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-0890
https://notcve.org/view.php?id=CVE-2017-0890
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue. Nextcloud Server anterior a 11.0.3 es vulnerable a un escape inadecuado lo que produce una vulnerabilidad XSS en el módulo de búsqueda. Para ser explotable un usuario tiene que escribir o pegar contenido malicioso en el diálogo de búsqueda. • https://hackerone.com/reports/213227 https://nextcloud.com/security/advisory/?id=nc-sa-2017-007 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2017-0894
https://notcve.org/view.php?id=CVE-2017-0894
Nextcloud Server before 11.0.3 is vulnerable to disclosure of valid share tokens for public calendars due to a logical error. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token. Nextcloud Server anterior a 11.0.3 es vulnerable a una divulgación de tokens de acciones válidos para los calendarios públicos debido a un error lógico. Por lo tanto, esto permite a un potencial atacante el acceso a calendarios compartidos públicamente sin conocer el token compartido. • https://hackerone.com/reports/218876 https://nextcloud.com/security/advisory/?id=nc-sa-2017-011 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •