Page 2 of 27 results (0.006 seconds)

CVSS: 6.9EPSS: 0%CPEs: 3EXPL: 1

Nextcloud is an open-source productivity platform. In Nextcloud Desktop client 3.0.0 until 3.8.0, Nextcloud Android app 3.13.0 until 3.25.0, and Nextcloud iOS app 3.0.5 until 4.8.0, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure and add new files.​ This issue is fixed in Nextcloud Desktop 3.8.0, Nextcloud Android 3.25.0, and Nextcloud iOS 4.8.0. No known workarounds are available. • https://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/report_DanieleCoppola.pdf https://github.com/nextcloud/desktop/pull/5560 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8875-wxww-3rr8 • CWE-311: Missing Encryption of Sensitive Data CWE-325: Missing Cryptographic Step •

CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 1

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure, and add new files.​ Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available. • https://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/report_DanieleCoppola.pdf https://github.com/nextcloud/desktop/pull/5323 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jh3g-wpwv-cqgr • CWE-325: Missing Cryptographic Step •

CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 1

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can recover and modify the contents of end-to-end encrypted files. Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available. • https://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/report_DanieleCoppola.pdf https://github.com/nextcloud/desktop/pull/5324 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4p33-rw27-j5fc • CWE-323: Reusing a Nonce, Key Pair in Encryption •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your computer. Versions prior to 3.6.3 are missing sanitisation on qml labels which are used for basic HTML elements such as `strong`, `em` and `head` lines in the UI of the desktop client. The lack of sanitisation may allow for javascript injection. It is recommended that the Nextcloud Desktop Client is upgraded to 3.6.3. There are no known workarounds for this issue. • https://github.com/nextcloud/desktop/pull/5233 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-64qc-vf6v-8xgg https://hackerone.com/reports/1788598 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1

Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. Nexcloud Desktop es el cliente de sincronización de escritorio para Nextcloud. • https://github.com/nextcloud/desktop/pull/4944 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5 https://hackerone.com/reports/1668028 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •