CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32727 – End-to-end encryption device setup did not verify public key
https://notcve.org/view.php?id=CVE-2021-32727
12 Jul 2021 — Nextcloud Android Client is the Android client for Nextcloud. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.16.1, the Nextcloud Android client skipped a step that involved the client checking if a private key belonged to a previously downloaded public certificate. If the Nextcloud instance served a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. The vu... • https://github.com/nextcloud/android/pull/8438 • CWE-295: Improper Certificate Validation •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-32694 – Malicious Android application can crash the Nextcloud Android Client
https://notcve.org/view.php?id=CVE-2021-32694
17 Jun 2021 — Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.15.1, a malicious application on the same device is possible to crash the Nextcloud Android Client due to an uncaught exception. The vulnerability is patched in version 3.15.1. Una aplicación Nextcloud Android es el cliente Android para Nextcloud. En versiones anteriores a 3.15.1, una aplicación maliciosa en el mismo dispositivo puede bloquear el Nextcloud Android Client debido a una excepción no capturada. • https://github.com/nextcloud/android/pull/7919 • CWE-248: Uncaught Exception •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-32695 – Malicious Android app could access Shared Preferences of the Nextcloud Android client
https://notcve.org/view.php?id=CVE-2021-32695
17 Jun 2021 — Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.16.1, a malicious app on the same device could have gotten access to the shared preferences of the Nextcloud Android application. This required user-interaction as a victim had to initiate the sharing flow and choose the malicious app. The shared preferences contain some limited private data such as push tokens and the account name. The vulnerability is patched in version 3.16.1. • https://github.com/nextcloud/android/pull/8433 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-22905
https://notcve.org/view.php?id=CVE-2021-22905
11 Jun 2021 — Nextcloud Android App (com.nextcloud.client) before v3.16.0 is vulnerable to information disclosure due to searches for sharees being performed by default on the lookup server instead of only using the local Nextcloud server unless a global search has been explicitly chosen by the user. Nextcloud Android App (com.nextcloud.client) versiones anteriores a v3.16.0, es vulnerable a una divulgación de información debido a que las búsquedas de compartidos se llevó a cabo por defecto en el servidor de búsqueda en ... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-22v9-q3r6-x7cj • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 1CVE-2021-32658 – Sensitive data may not be removed from storage on account removal
https://notcve.org/view.php?id=CVE-2021-32658
08 Jun 2021 — Nextcloud Android is the Android client for the Nextcloud open source home cloud system. Due to a timeout issue the Android client may not properly clean all sensitive data on account removal. This could include sensitive key material such as the End-to-End encryption keys. It is recommended that the Nextcloud Android App is upgraded to 3.16.1 Nextcloud Android es el cliente Android para el sistema de nube doméstica de código abierto Nextcloud. Debido a un problema de tiempo de espera, el cliente de Android... • https://github.com/nextcloud/android/commit/355f3c745b464b741b20a3b96597303490c26333 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-0888
https://notcve.org/view.php?id=CVE-2017-0888
05 Apr 2017 — Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Content-Spoofing vulnerability in the "files" app. The top navigation bar displayed in the files list contained partially user-controllable input leading to a potential misrepresentation of information. Nextcloud Server en versiones anteriores a 9.0.55 y 10.0.2 sufre una vulnerabilidad de Content-Spoofing en la aplicación "files". La barra de navegación superior mostrada en la lista de archivos contenía entradas parcialmente controlables por el usuari... • http://www.securityfocus.com/bid/97491 • CWE-20: Improper Input Validation CWE-451: User Interface (UI) Misrepresentation of Critical Information •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2016-9460
https://notcve.org/view.php?id=CVE-2016-9460
28 Mar 2017 — Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a content-spoofing attack in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user. Nextcloud Server en versiones anteriores a 9.0.52 & ownCloud Server en versiones anteriores a 9.0.4 son vulnerables a un ataque de contenido falsificado en la aplicación... • http://www.securityfocus.com/bid/97282 • CWE-284: Improper Access Control CWE-451: User Interface (UI) Misrepresentation of Critical Information •