CVE-2017-0888
https://notcve.org/view.php?id=CVE-2017-0888
Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Content-Spoofing vulnerability in the "files" app. The top navigation bar displayed in the files list contained partially user-controllable input leading to a potential misrepresentation of information. Nextcloud Server en versiones anteriores a 9.0.55 y 10.0.2 sufre una vulnerabilidad de Content-Spoofing en la aplicación "files". La barra de navegación superior mostrada en la lista de archivos contenía entradas parcialmente controlables por el usuario que conducían a una posible representación errónea de la información. • http://www.securityfocus.com/bid/97491 https://hackerone.com/reports/179073 https://nextcloud.com/security/advisory/?id=nc-sa-2017-006 • CWE-20: Improper Input Validation CWE-451: User Interface (UI) Misrepresentation of Critical Information •
CVE-2017-0886
https://notcve.org/view.php?id=CVE-2017-0886
Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Denial of Service attack. Due to an error in the application logic an authenticated adversary may trigger an endless recursion in the application leading to a potential Denial of Service. Nextcloud Server en versiones anteriores a 9.0.55 y 10.0.2 sufre de un ataque de denegación de servicio. Debido a un error en la lógica de la aplicación, un adversario autenticado puede desencadenar una recursión interminable en la aplicación que conduce a una posible denegación de servicio. • https://hackerone.com/reports/174524 https://nextcloud.com/security/advisory/?id=nc-sa-2017-004 • CWE-674: Uncontrolled Recursion •
CVE-2017-0884
https://notcve.org/view.php?id=CVE-2017-0884
Nextcloud Server before 9.0.55 and 10.0.2 suffers from a creation of folders in read-only folders despite lacking permissions issue. Due to a logical error in the file caching layer an authenticated adversary is able to create empty folders inside a shared folder. Note that this only affects folders and files that the adversary has at least read-only permissions for. Nextcloud Server en versiones anteriores a 9.0.55 y 10.0.2 sufre de una creación de carpetas en carpetas de sólo lectura a pesar del problema de permisos que faltan. Debido a un error lógico en la capa de caché de archivos, un adversario autenticado puede crear carpetas vacías dentro de una carpeta compartida. • https://hackerone.com/reports/169680 https://nextcloud.com/security/advisory/?id=nc-sa-2017-002 • CWE-275: Permission Issues CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2017-0883
https://notcve.org/view.php?id=CVE-2017-0883
Nextcloud Server before 9.0.55 and 10.0.2 suffers from a permission increase on re-sharing via OCS API issue. A permission related issue within the OCS sharing API allowed an authenticated adversary to reshare shared files with an increasing permission set. This may allow an attacker to edit files in a share despite having only a 'read' permission set. Note that this only affects folders and files that the adversary has at least read-only permissions for. Nextcloud Server en versiones anteriores a 9.0.55 y 10.0.2 sufre un aumento de permiso al volver a compartir a través del problema de la API de OCS compartiendo API permitió a un adversario autenticado compartir archivos compartidos con un conjunto de permisos creciente. • https://hackerone.com/reports/169680 https://nextcloud.com/security/advisory/?id=nc-sa-2017-001 • CWE-275: Permission Issues CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2017-0887
https://notcve.org/view.php?id=CVE-2017-0887
Nextcloud Server before 9.0.55 and 10.0.2 suffers from a bypass in the quota limitation. Due to not properly sanitizing values provided by the `OC-Total-Length` HTTP header an authenticated adversary may be able to exceed their configured user quota. Thus using more space than allowed by the administrator. Nextcloud Server en versiones anteriores a 9.0.55 y 10.0.2 Sufre una evasión en la limitación de cuota. Debido a que no se desinfectan correctamente los valores proporcionados por la cabecera "OC-Total-Length" HTTP, un adversario autenticado puede superar su cuota de usuario configurada. • https://hackerone.com/reports/173622 https://nextcloud.com/security/advisory/?id=nc-sa-2017-005 • CWE-20: Improper Input Validation CWE-807: Reliance on Untrusted Inputs in a Security Decision •