Public Nextcloud bug reports.

Team Bounty Title
Nextcloud - CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)
Nextcloud - Email Spoofing Vulnerability from nextcloud.
Nextcloud - Nextcloud Server Remote Command Execution
Nextcloud - I am because bug
Nextcloud - Wordpress Vulnerable to Potential Unauthorized Password Reset
Nextcloud - Missing Rate Limiting protection leading to mass triggering of e-mails
Nextcloud - Cross Site Scripting
Nextcloud - information disclose
Nextcloud - Stored XSS in Gallery application (NC-SA-2017-010)
Nextcloud - Content (Text) Injection at
Nextcloud - Clickjacking In
Nextcloud - Possible SSRF in email server settings(SMTP mode)
Nextcloud - The email API to test email-server settings is unlimited and can be used as a email bomb
Nextcloud - The email API to reset password is unlimited and can be used as a email bomb
Nextcloud - Content Spoofing/Text Injection in
Nextcloud - GIT Detected
Nextcloud - CSRF token validation is missing
Nextcloud - file is readable
Nextcloud - Share tokens for public calendars disclosed (NC-SA-2017-011)
Nextcloud - Design Issues on ( ███ ) Lead to show ( IPS of Users )
Nextcloud - Directory Listing In Subdomain Of
Nextcloud $450 Reflected XSS in error pages (NC-SA-2017-008)
Nextcloud - Server version/OS type disclosure via HTTP Response Header
Nextcloud - Content spoofing due to the improper behavior of the 403 page
Nextcloud - Update php-saml library to 2.10.5
Nextcloud - Content Spoofing/Text Injection in
Nextcloud - SSRF at
Nextcloud $250 DOM XSS vulnerability in search dialogue (NC-SA-2017-007)
Nextcloud - Invalid request may lead content spoofing for phishing
Nextcloud - Content spoofing due to the improper behavior of the 403 page
Nextcloud -; allows open redirect
Nextcloud - Version 4.7.2 of wordpress is vulnerable
Nextcloud - Missing SPF Flags on
Nextcloud $183 Calendar and addressbook names disclosed (NC-SA-2017-012)
Nextcloud - Wordpress 4.7.1
Nextcloud - Email Spoofing
Nextcloud - Missing Rate Limit for Current Password field in
Nextcloud - is vulnerable to SWEET32 attack
Nextcloud - Group admin can remove user from all his groups via API
Nextcloud - Drone Nextcloud
Nextcloud - HTTP-Basic Authentication on
Nextcloud - Disclosure of administrators via JSON on Wordpress
Nextcloud - WordPress <= 4.6.1 Stored XSS Via Theme File
Nextcloud - User Information Disclosure via REST API
Nextcloud - bug reporting template encourages users to paste config file with passwords
Nextcloud - Review remote code execution in SwiftMailer
Nextcloud - Reflected XSS in U2F plugin by shipping the example endpoints
Nextcloud $300 Limitation of app specific password scope can be bypassed (NC-SA-2017-009)
Nextcloud - Stored XSS on new Calling plugin (spreed)
Nextcloud - BruteForce in to Admin Account
Nextcloud - Login Hints on Admin Panel
Nextcloud - Wordpress Version Disclosure Bug On Nextcloud
Nextcloud - Files Drop: WebDAV endpoint is leaking existence of resources
Nextcloud $50 Content Spoofing in "files" app
Nextcloud - xss on due to outdated version
Nextcloud - Content spoofing due to the improper behavior of the 403 page in Private Server
Nextcloud - URI scheme bypass in mail app lead to HTML content spoof and opener control
Nextcloud - Dav sharing permissions issue
Nextcloud $250 Filename enumeration && DoS
Nextcloud - Bad content-type in response header when getting document can lead to html injection
Nextcloud - Bypassing quota limit
Nextcloud - Content spoofing in
Nextcloud $750 Bypass permissions
Nextcloud - Unauthenticated Stored xss
Nextcloud - Android - Possible to intercept broadcasts about uploaded files
Nextcloud - Privilege escalation - Normal user can somehow make admin to delete shared folders
Nextcloud $500 Reflected XSS in Gallery App
Nextcloud - Reflected Self-XSS Vulnerability in the Comment section of Files (Different-payloads)
Nextcloud $100 Reflected Self-XSS Vulnerability in the Comment section of Files Information
Nextcloud - Slow Http attack on nextcloud(DOS)
Nextcloud - Wordpress: Directory Traversal / Denial of Serivce
Nextcloud - Expired SSL certificate
Nextcloud - \OCA\DAV\CardDAV\ImageExportPlugin allows serving arbitrary data with user-defined or empty mimetype
Nextcloud - Information Disclosure of .htaccess file in Private Server/Subdomain
Nextcloud - Password Reset Link issue
Nextcloud - Content Injection -
Nextcloud - Content Injection -
Nextcloud - XSS on IOS app via HTML rendering
Nextcloud - Directory listening enabled in:
Nextcloud - Content spoofing due to default Apache Error Page
Nextcloud - Arbitrary File Upload in Logo & Log in image Theming setting.
Nextcloud - Content spoofing due to default Apache Error Page
Nextcloud $50 More content spoofing through dir param in the files app
Nextcloud - Bookmarks: Delete all existing bookmarks of a user
Nextcloud $100 IDOR - Disable sharing
Nextcloud - xss for admin of
Nextcloud - [Nextcloud 9.0.53] Content Spoofing in 'trustDomain' parameter
Nextcloud - Content spoofing in
Nextcloud - Information disclosure
Nextcloud - The application uses basic authentication.
Nextcloud $50 Content (Text) Injection at NextCloud Server 9.0.52 - via http://custom_nextcloud_url/remote.php/dav/files/
Nextcloud - [Thirdparty] Stored XSS in chat module - nextcloud server 9.0.51 installed in ubuntu 14.0.4 LTS
Nextcloud - No Rate Limiting on login
Nextcloud - Deny access to + folders
Nextcloud - Log pollution can lead to HTML Injection.
Nextcloud - REG: Content provider information leakage
Nextcloud - Email ID Disclosure.
Nextcloud - WordPress Vulnerabilities: User Enumeration, Vulnerable Akismet Plugin, XML-RPC Interface available
Nextcloud $100 Read-only share recipient can restore old versions of file
Nextcloud $250 Uploading files to a folder where invited user don't have any EDIT privilege
Nextcloud - Password reset link remains valid after email change
Nextcloud - Content Injection in subdomain
Nextcloud - Content injection in subdomain
Nextcloud - Content Spoofing/Text Injection -
Nextcloud - Content Injection 404 page
Nextcloud - Business/Functional logic bypass: Remove admins from admin group.
Nextcloud - help.nextcloud Email Address/Username enumeration
Nextcloud - Bypass firewall protection
Nextcloud - Bruteforcing
Nextcloud - Bruteforce attack is possible on
Nextcloud - No captcha on newsletter.nextcloudcom leaves vulnerable to email spammers
Nextcloud - Avatar image upload and bypass real image verification
Nextcloud - Directory listening and Information Disclosure
Nextcloud - Lost Password CSRF
Nextcloud - Directory Listing On & Practical Attacks on PGP (Pretty Good Privacy)
Nextcloud - Server side request forgery (SSRF) on nextcloud implementation.
Nextcloud - Vulnerable Javascript library
Nextcloud - Directory listening for 'wp-includes' forders
Nextcloud - failure to invalidate session on password change
Nextcloud $50 Nextcloud server software: Content Spoofing
Nextcloud - No rate limiting on password protected shared file link
Nextcloud - Mail Bombing ( No Rate Limiting On Sending Emails On Contact us Page)
Nextcloud $350 Share owner has no possibility to list all existing derived shares
Nextcloud - Session Management Issue
Nextcloud - Known DoS condition (null pointer deref) in Nginx running
Nextcloud - No permission set on Activities [Android App]
Nextcloud - Enumeration of subscribed users and unauthenticated email unsubscriptions on
Nextcloud - Response Header injection using redirect_uri together with PHP that utilizes Header Folding according to RFC1945 and Internet Explorer 11
Nextcloud - Content Injection
Nextcloud - Content Spoofing
Nextcloud $750 Stored XSS on Share-popup of a directory's Gallery-view
Nextcloud - Content Injection Custom 404 Error