Page 28 of 158 results (0.004 seconds)

CVSS: 5.7EPSS: 0%CPEs: 2EXPL: 0

Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorization Bypass Through User-Controlled Key vulnerability. A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user. Nextcloud Server en versiones anteriores a la 11.0.7 y versiones 12.0.5 contiene una vulnerabilidad de omisión de autorización mediante una clave controlada por el usuario. La falta de una verificación de propiedad permitía a los usuarios con sesión iniciada modificar el alcance de las contraseñas de la aplicación de otros usuarios. • https://hackerone.com/reports/297751 https://nextcloud.com/security/advisory/?id=nc-sa-2018-001 • CWE-639: Authorization Bypass Through User-Controlled Key •

CVSS: 3.5EPSS: 0%CPEs: 2EXPL: 0

Nextcloud Server before 10.0.4 and 11.0.2 are vulnerable to disclosure of calendar and addressbook names to other logged-in users. Note that no actual content of the calendar and addressbook has been disclosed. Nextcloud Server anterior a 10.0.4 y 11.0.2 son vulnerables a la divulgación de los nombres de calendario y de libreta de direcciones a otros usuarios registrados. Tenga en cuenta que no se ha revelado ningún contenido real del calendario y de la libreta de direcciones. • https://hackerone.com/reports/203594 https://nextcloud.com/security/advisory/?id=nc-sa-2017-012 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-285: Improper Authorization •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

Nextcloud Server before 11.0.3 is vulnerable to disclosure of valid share tokens for public calendars due to a logical error. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token. Nextcloud Server anterior a 11.0.3 es vulnerable a una divulgación de tokens de acciones válidos para los calendarios públicos debido a un error lógico. Por lo tanto, esto permite a un potencial atacante el acceso a calendarios compartidos públicamente sin conocer el token compartido. • https://hackerone.com/reports/218876 https://nextcloud.com/security/advisory/?id=nc-sa-2017-011 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

Nextcloud Server before 11.0.3 is vulnerable to an improper session handling allowed an application specific password without permission to the files access to the users file. Nextcloud Server anterior a 11.0.3 es vulnerable a una manipulación incorrecta de la sesión, lo que permite especificar una contraseña a la aplicación sin permiso de acceso a ficheros o al fichero de usuarios • https://hackerone.com/reports/191979 https://nextcloud.com/security/advisory/?id=nc-sa-2017-009 • CWE-285: Improper Authorization CWE-384: Session Fixation •

CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0

Nextcloud Server before 9.0.58 and 10.0.5 and 11.0.3 are vulnerable to an inadequate escaping of error messages leading to XSS vulnerabilities in multiple components. Nextcloud Server anterior a 9.0.58 a 10.0.5 y a 11.0.3 son vulnerables a un escape inadecuado de mensajes de error que conducen a vulnerabilidades XSS en múltiples componentes. NextCloud and OwnCloud suffer from a cross site scripting vulnerability in their error pages. OwnCloud versions 9.1.5 and below are affected. NextCloud versions prior to 11.0.3, 10.0.5, and 9.0.58 are affected. • https://hackerone.com/reports/216812 https://nextcloud.com/security/advisory/?id=nc-sa-2017-008 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •